EU: No Safe Harbor for US firms

A European court on Tuesday tossed out a long-standing agreement between the United States and European Union over how private data handled by Facebook and other companies can be exchanged, inflaming transatlantic trade tensions.

The European Court of Justice’s ruled that U.S. companies can’t be assumed to meet EU standards for keeping data private following revelations about U.S. surveillance practices by former defense contractor-turned-whistleblower Edward Snowden.

{mosads}But without the protection of the Safe Harbor agreement, more than 4,000 companies in industries including technology, financial services and hospitality will be left scrambling to meet alternative regulations in order to transfer data across the Atlantic.

Critics say this will create uncertainty and put onerous requirements on companies that do business internationally.

“Safe Harbor has made [the transfer of transatlantic data] pretty frictionless, and this decision has thrown some massive sand in the gears,” said Cameron Kerry, senior counsel at Sidley Austin and formerly the chief international negotiator for privacy and data regulations at the U.S. Department of Commerce.

The technology industry responded with outrage, claiming that the ruling will hurt consumers by disrupting the transfer of their data.

“We expect that a suspension of Safe Harbor will negatively impact Europe’s economy, hurt small and medium-sized enterprises, and the consumers who use their services, the most,” the Computer & Communications Industry Association’s Europe Director Christian Borggreen said in a statement.

While European regulators have said there are a number of alternative routes that U.S. companies can use to ensure they don’t violate EU data law, legal experts say each of those options comes with its own set of headaches.

“They all have problems,” said Susan Foster, a privacy attorney at Mintz Levin who works in both the EU and the U.S.

Many say that the companies most likely to be hurt by the ruling are not tech giants exchanging troves of social media data but smaller companies that may not have the resources to build multiple layers of privacy protection into their transactions.

A dual-layer approach is probably “moderately common” and is certainly best practice, said Foster, but not all companies have been consistently relying on side agreements as a backup to Safe Harbor. Switching to alternative methods won’t be possible for those companies overnight.

Facebook, the defendant in the original case brought before the court, assured European clients that it has multiple layers of legal protection in place and that data flow will not be disrupted.

“Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor,” the company said in a statement.

Critics also claim the ruling could create a country-by-country patchwork of enforcement as lower courts take on more cases like the original complaint. 

That uncertainty has U.S. firms spooked.

“It is particularly alarming that this long-standing agreement has been invalidated with no discussion of a transition period or guidance regarding how companies should comply with the law while a new agreement is negotiated or as they transition to new mechanisms,” the U.S. Chamber of Commerce said.

The European Commission tried to reassure companies on Tuesday that it will work to create a uniform regulatory environment, but whether officials will be able to move quickly enough to protect Safe Harbor firms is a game of “wait and see,” observers say.

“We’ll have to see how the process of getting a unified position and some guidelines for the national data protection authorities — how quickly and how clearly that gets done, this puts urgency on doing that,” Kerry said.

The decision also puts pressure on U.S. and EU regulators to wrap up negotiations on an updated version of Safe Harbor that began in 2013.

Observers say that questions over the scope of exemptions granted to government agencies for national security purposes have stymied discussions.

Lawmakers and tech groups alike urged the two governments to resolve their differences quickly in light of the importance of Safe Harbor to transatlantic trade.

“Data flows are the lifeblood of modern commerce and underpin trade and investment across the Atlantic and around the world,” Information Technology Industry Council President Dean Garfield said.

“The Safe Harbor has been indispensable in facilitating the cross-border flows of data that are as critical to transatlantic and global business as maritime shipping lanes and currency exchanges,” he said.

Others were more pointed in their criticism of a court decision, calling it overly political.

Post-Snowden, the U.S. has struggled to rebuild trust with the EU, where data privacy is considered a basic right under the Charter of Fundamental Rights.

“By striking down the Safe Harbor Agreement, the European Union Court of Justice today called for open season against American businesses,” Sen. Ron Wyden (D-Ore.) said in a statement. “This misguided decision amounts to nothing less than protectionism against America’s global data processing services and digital goods.”

The White House also expressed concern about the ruling, echoing criticism that the court based its decision on a poor understanding of the National Security Agency’s PRISM program.

“We have many concerns about this ruling,” President Obama said in a White House press briefing. “One of them is that it was based on incorrect assumptions on privacy protections in the United States.”

Because the U.S. gives intelligence agencies unfettered access to private data, it by definition infringes on European citizens’ right to data privacy, the EU court found.

“National security, public interest and law enforcement requirements of the United States prevail over the Safe Harbour scheme,” the court wrote. “The United States Safe Harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons.”

European regulators praised the decision in a Tuesday press conference.

“Today’s judgment is an important step towards upholding Europeans’ fundamental rights to data protection,” First Vice-President of the European Commission Frans Timmermans said.

Snowden took to Twitter immediately following the decision to praise the plaintiff in the original case against Facebook.

‘‘Congratulations, @maxschrems,” Snowden wrote. “You’ve changed the world for the better.”