Who Will Write the Rules for Data Privacy? The End of Safe Harbor...
A few weeks ago the European Court of Justice ruled that the Safe Harbor Agreement between the United States and the European Union was invalid. The ramifications of this are still being felt.
Safe Harbor has enabled the Googles and Facebooks of the digital world to conduct business on a global scale. Digital companies based in the U.S. have to comply with very different privacy laws in the U.S. (where privacy laws are weak) as well as in the E.U. (where they are strong). Since these firms view it as extremely undesirable to re-create how their businesses function in every locality in which they want to operate, the Safe Harbor Agreement instead let U.S. companies voluntarily sign on to providing Safe Harbor protections in exchange for what amounted to automatic pre-approval to do business in all E.U. nations.
In the U.S., Safe Harbor was seen as a boon for American businesses; in the E.U., it was seen almost immediately after passage as a threat to individual privacy.
What's interesting about the ECJ's ruling is that Safe Harbor wasn't overturned based on the old criticism of the Agreement relying on the voluntary compliance of companies. Rather, the ruling was based on the threat of U.S. government surveillance.
Daniel Solove of George Washington University writes that "the main reason for the invalidity of Safe Harbor is the failure of US law to provide adequate limitations and redress from government surveillance, especially NSA surveillance. In particular, the ECJ was troubled by the fact the NSA could engage in massive surveillance and that US courts had failed to provide a way for people to challenge that surveillance [in court]... Essentially, the ECJ held that because the NSA's surveillance is virtually unstoppable, the Safe Habor cannot guarantee an adequate level of protection."
This is more monumental than most people probably realize. In the short term, about 4500 U.S. firms have had to scramble to adjust how their digital businesses operate. But they will adjust. The longer-term question, however, looms quite large: Who will write the rules for data privacy?
Pressure stemming from the ECJ decision is now forcing American firms to comply with far stronger privacy protections than from what they're used to operating under in U.S. law. And there may be little they can do about it if they want continued access to European markets.
In this race-to-the-top, the E.U. is now effectively creating large swaths of U.S. data privacy law.
Solove is right to note that "The costs of NSA surveillance keep mounting" and that "U.S. companies have no love for the NSA or the weak legal protections against government data gathering -- it erodes the trust companies are building with consumers". Firms like Microsoft and Google have been especially vocal on this front.
In an attempt to end on a more hopeful note, Solove states that maybe, in the aftermath of Safe Harbor's demise, companies might now have the "the leverage and incentive to convince policymakers to better regulate government surveillance". That would be nice. But the bigger issue remains whether, in the global digital economy, the anything-goes culture of the virtually-non-existent privacy laws of the U.S. have any chance of enduring while much of the rest of the world dissents.