In October the European Court of Justice invalidated the 15 year old “Safe Harbour framework” which enabled commercial data to flow between Europe and the United States. This ruling was groundbreaking as it sets in motion a domino effect which, unless addressed, may entail serious, uncomfortable consequences for Europe. Let me guide you through this domino effect towards data isolationism and finally point out some possible solutions.
European firms, especially small businesses, are scrambling to find alternatives to “Safe Harbour”
For the past 15 years companies have relied on the Safe Harbour framework for EU-U.S. commercial data flows. The court ruling means that firms are now forced to change to other legal mechanisms. What few realise is that 60% of Safe Harbour companies are small and medium sized companies without legal departments to pursue lengthy and costly alternatively legal tools. European firms incorporated in the U.S., such as Adidas America, Inc. and Bayer, also rely on Safe Harbour for transferring payroll and other day-to-day commercial data from Europe to the U.S.
Other data transfers mechanisms are available – until they are not
EU and U.S. negotiators are correctly working hard to agree on a strengthened framework to replace Safe Harbour that can survive future legal scrutiny. In the meantime, the European Commission and the European data protection authorities recommend that companies use other legal mechanisms for EU-U.S. data transfers, namely binding corporate rules and standard contract clauses. However, German authorities are already questioning the validity of such mechanisms and refuse to issue any new permissions for commercial data transfers to the U.S.
What about data transfers to our other major trading partners?
The ECJ invalidated Safe Harbour mainly because of the Court’s understanding of U.S. mass surveillance practises compared with EU laws, while limiting its legal justification to concerns about the European Commission’s original adequacy determination. Besides the special EU-U.S. Safe Harbour framework, the EU has ”adequacy frameworks” with 11 other countries. All countries conduct surveillance—often with little oversight—so it may only be a matter of time before someone starts questioning the validity of data transfers from Europe to any of these countries, e.g. Canada or Israel. The consequence could be that personal data wouldn’t be allowed to leave Europe. Welcome to data prison Europe!
Can’t we just store all data in Europe?
When companies suddenly can’t move data out of Europe, the logical answer seem to be to store and process all personal data in Europe. But reducing the “World Wide Web” to a European intranet just won’t work. Companies of all sizes need to be able to move data around the world as part of their daily operations. It would be totally impossible for startups to store data in all the countries in which they operate. A European data localisation requirement would moreover likely cut European companies and consumers off from innovative and helpful services originating abroad. Companies will want to store and process data where it is technically most efficient and as close to their global consumers as possible. They want to spread out data centres to be able service their clients around the world and around the clock. It is safer to safeguard data in various localisations, e.g. to ensure backups in case of disasters like in Fukushima. An often practiced security technique, sharding, depends on chunks of data to being split up between different servers so that even if one data center becomes compromised it does not produce any useful data to the attackers. Rather than protecting data, localisation will lead to a much more costly, inferior, and less secure Internet for Europeans. A de facto data localisation requirement would finally put Europe in a dubious club with authoritarian regimes like Russia and China.
Plunging the EU economy back into recession…
Data localisation requirements are a sort of self-imposed sanction which would seriously disrupt Europe’s digitised economy. Such requirements could lead to EU GDP losses of -1,1% and overall drop of domestic investments of -3,9%. This could effectively plunge the entire Eurozone area’s GDP back into recession. The EU is a world leader in services exports. A quarter of these (and growing) are digitally deliverable services, which would be seriously disrupted from data localisation requirements.
Can we even trust other European governments?
If companies cannot transfer data to third countries, e.g. because of mass surveillance concerns, then they will be limited to only transferring data within Europe. But wait, what about new surveillance laws in European countries that may go beyond those in the U.S.? France enacted its controversial “Loi relative au renseignement” after the Charlie Hebdo attacks. Clearly, countries need surveillance laws to fight terrorism and serious crime, but they should be careful how they craft these to avoid misuse and ensure a balance with people’s fundamental rights. Edward Snowden called a new UK draft surveillance bill the “most intrusive and least accountable surveillance regime in the West.” Germany has been spying on many of its neighbouring countries, including Austria and France, in addition to NGOs like Oxfam. In short, European Member States have enacted surveillance laws similar to those the U.S. is currently reforming. Ultimately, if we follow the logic of the court’s Safe Harbour ruling, we should only store data nationally or not at all.
A safer Safe Harbour
European negotiators have correctly emphasised that the new Safe Harbour framework must address the concerns expressed in the ECJ ruling. European data protection supervisors could be given a much stronger oversight role with ability to investigate possible complaints. Requests for data for national security purposes by governments must also be limited and proportionate. Third countries’ privacy frameworks should be benchmarked with the laws of EU Member States. We cannot demand that the U.S. abide to higher standards than those in EU Member States. No double standards. Consumers and companies need certainty that the new EU-approved legal data transfer mechanism will remain valid and won’t continuously be contested by national or regional authorities.
The real question: Why aren’t other countries copying Europe’s data rules?
The EU enacted its existing data protection directive back in 1995. Dating from before the Internet age it has since become clear that it isn’t an effective model for enabling data transfers abroad. Only 11 third countries worldwide, half of which are tiny tax havens, have copied the EU’s framework and been rewarded with easier data access to the EU in return. The EU is about the finalise its new data protection framework which builds on the existing bureaucratic “adequacy framework” for third country data transfers. Negotiators in Brussels seem to ignore that no major third countries have copied the EU’s “adequacy framework”.
The EU would do a favor to its companies and consumers by studying global best practises for data transfers. Europe is a world leader in digitally-delivered services trade. Let’s have a first-class framework for cross-border data flows with strong data protections.
Locking up Europe’s information won’t work in today’s data-enabled global economy. The Safe Harbour ruling should be a wake-up call to not only design a new and safer Safe Harbour but to build an EU data protection framework fit for our interconnected 21st century.