Digital Privacy: Europeans Threaten to Halt Data to US

02_02_Halt_Data
Britain's Home Secretary Theresa May, left, listens as U.S. Attorney General Loretta Lynch speaks at a "Countering Terrorism: A Global Perspective" event at Chatham House in London on December 9, 2015. Lynch said she was disappointed by a European Union court decision to strike down a data transfer deal and said legislation in the European Parliament might further restrict information sharing. Toby Melville/Reuters

Updated | Grave economic damage is looming in Europe that left unchecked will have ripple effects on the global economy.

Privacy regulators in Europe are imminently threatening to cut off data flows to the United States because of sensationalized concerns about unfettered access to European data by U.S. law enforcement and national security authorities. 

Prohibiting transfers to the U.S., however, will not protect European citizens; it will hurt them and the rest of the world. In its efforts to defuse the current privacy standoff, the US and EU have frantically concluded a deal this week which may do little to resolve these tensions and possibly put American business at a competitive disadvantage.

Europeans have long claimed the higher moral ground in the privacy debate because they have comprehensive, continent-wide privacy laws while the U.S. has a more complicated system of federal and state laws. To bridge these different legal systems, the U.S. and EU negotiated an agreement 16 years ago, known as the Safe Harbor Framework, that enabled companies to transfer data legally from Europe if the U.S. companies receiving the information agreed to protect it in accordance with a set of agreed upon privacy principles which were enforceable under U.S. law.   

In October 2015, the European Court of Justice (ECJ) invalidated the agreement, on which tens of thousands of companies in the EU relied to share information regarding employees, customers and business partners with US companies.

The ECJ decision was driven almost entirely by concerns relating to access to European data by U.S. law enforcement and national security authorities and the fact that European citizens did not have effective judicial redress against the U.S. government.  

To address European concerns about judicial redress, the U.S. Congress is poised to enact legislation that would provide Europeans with rights substantially similar to U.S. citizens under the U.S. Privacy Act.  The U.S. Department of Commerce has also proposed modifications to the original Safe Harbor Framework.

Despite these numerous, yet to be disclosed concessions, European privacy regulators continue to insist that the U.S. needs to do more and have threatened, on the basis of the ECJ’s Safe Harbor ruling, to invalidate other ways that hundreds of thousands of companies use to transfer data lawfully under EU law to inadequate countries.

They mistakenly believe that these other ways (known as legal exceptions) such as EU-approved contracts and company-wide privacy codes, individual consent or contractual necessity do not provide sufficient protection for European data.  

Using the ECJ decision to invalidate these alternative ways is misplaced. European privacy rules require that data be transferred only to countries that provide adequate protection but provide some exceptions.

Adequacy is determined by evaluating a multitude of criteria. These criteria were used to find the original Safe Harbor Framework adequate; however, the ECJ invalidated that determination not because it found the Safe Harbor principles (or even U.S. privacy laws) provided inadequate protection, but because the European Commission failed to follow proper rules for establishing adequacy.

The ECJ decision did not invalidate the mechanisms used to transfer to inadequate countries. Moreover, the validity of these legal exceptions was reaffirmed in the new European privacy regulation which will take effect in 2018. European lawmakers recognize that personal information must be transferred to more than a handful of countries deemed adequate.  

In fact, European privacy regulators do not have the authority to strike down the legal exceptions found under European law. They are only permitted to prohibit individual transfers if, for example, they have evidence that the receiving company is subject to domestic laws that interfere with privacy rights in a way that goes beyond “what is necessary in a democratic society.” This is a very high threshold.  

European privacy regulators also fail to understand the robust system of checks and balances the U.S. has under the Constitution which protects against unreasonable searches and seizures. They falsely presume that Europe’s own surveillance laws and practices provide greater protections, which is surprising given recent French and Belgian surveillance activities and suspension of civil rights in the aftermath of the Paris terrorist attacks.  

If these regulators were to examine the facts, it would quickly become clear that they are holding the U.S. to a far higher standard than Europe. Moreover, to take the position that U.S. protections are inferior, they would need to reach identical conclusions about some of their other significant trading partners such as China, Russia, Japan, India and Brazil.

A lot is at stake here. U.S. and European citizens, businesses and government policymakers should be deeply concerned if cooler heads do not prevail. Cutting off data flows from Europe will impede their citizens’ access to affordable products and services, and, if they work for a multinational company, their ability to use their own company’s global email systems and receive corporate benefits.  

European efforts to fight fraud would also be impeded.

Finally the global efforts by the private and public sector to stop terrorists would be significantly degraded.

Privacy brinkmanship is not productive at a time when the world is grappling with growing terrorist attacks, refugee crises and economic uncertainties. It is time to dial back the rhetoric and bring greater sanity and clarity to the privacy debate.  

A deal concluded too hastily before it is sufficiently vetted with both American and European consumers and business communities will not be good for either side.   

This article has been updated to reflect that a deal has been struck between the U.S. and EU.

Miriam Wugmeister is a partner at Morrison & Foerster and co-head of the firm’s privacy and data security practice. Cynthia Rich is a senior privacy Adviser at Morrison & Foerster and was a member of the U.S. government team that negotiated the 2000 US-EU Safe Harbor Agreement.