American firms scramble for answer to EU data dilemma

U.S. firms of all sizes are racing to find a way to keep handling foreign data after a European court struck down the international Safe Harbor legal framework over privacy worries.

U.S. leaders are busy negotiating a pact, dubbed Safe Harbor 2.0, in response to the European Court of Justice’s October ruling.

But experts say there is no reason for companies to believe that the new agreement won’t be struck down as summarily as the old one. Absent new, stricter data security laws in the U.S., policy specialists warn a new Safe Harbor pact will immediately come under fire.

“What we now know is that [Safe Harbor] can be attacked from Day One,” said Susan Foster, a privacy attorney at Mintz Levin who works in both the U.S. and the European Union. “And I expect it will be.”

Congress can help fend off these attacks by preemptively passing new data security laws, several lawmakers insisted Tuesday.

“If we fail to do that, the economic implications could be disastrous,” said Rep. Jan Schakowsky (D-Ill.).

The original Safe Harbor agreement, negotiated in 2000, allowed companies to handle European citizens’ data by self-certifying that they met Europe’s more stringent privacy requirements. The deal has helped make the U.S.-EU economic relationship unsurpassed in the world, with bilateral trade that topped $1 trillion in 2014.

But Europe’s high court ruled that the U.S. was not offering adequate protections, thanks to its “indiscriminate” surveillance practices — rendering the pact invalid.

The Commerce Department and the European Commission have been scrambling since to update the agreement, which was used by 4,400 companies to legally facilitate data transfers for everything from social media to hotel bookings to payroll.

A working group of data protection authorities — separate entities from the European Commission — have given negotiators a three-month grace period to come up with an updated agreement before they will take enforcement action.

Commerce Secretary Penny Pritzker, the lead U.S. negotiator, has issued positive reports, assuring companies that the two parties had reached consensus “in principle” and are hammering out the details in advance of the January deadline.

“A solution is within hand,” she told reporters in Germany last week. “The solution … is Safe Harbor 2.0, which is totally doable.”

But the gap between the ruling and a new agreement is still dicey. Germany’s data protection authority announced last week that despite the working group’s assurance, it would be proactively investigating data transfers to the U.S., beginning with Google and Facebook.

And even if the new agreement does come to fruition, many believe it won’t alleviate the uncertainty.

“I think you will almost immediately see European data protection agencies attack the revised agreement,” said Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC), a digital rights advocate, at a hearing Tuesday held by two subcommittees of the House Energy and Commerce Committee.

These attacks are expected to land the new agreement back in court.

“This will most likely have to be ultimately settled again by the European Court of Justice because the data protection authorities have been given the clear authority to investigate complaints regarding adequacy of data flows,” Brookings Institute senior fellow Joshua Meltzer said at the same hearing.

The result is that more well-off firms are looking into storing their European data within EU borders. It’s an expensive option, but one that at least offers a permanent solution.

EU data regulators have already urged companies to consider housing European citizens’ information in Europe.

“Anyone who wants to remain untouched by the legal and political implications of the judgment should in the future consider storing personal data only on servers within the European Union,” Hamburg’s data protection officer, Johannes Caspar, said last week.

But shifting data storage across the Atlantic can be expensive — in some cases, prohibitively so.

“The smaller companies wouldn’t be able to do that,” Computer and Communications Industry Association public policy and regulatory counsel Bijan Madhani told The Hill. “It takes a lot of money to either stand up your own data center or pay someone else to host your data locally. That’s the last-resort option.”

The European Commission has insisted other legal options are open to companies, but privacy regulators — specifically from Germany — have cast doubt on the validity of those mechanisms as well.

The most common alternatives could also prove too expensive and cumbersome for small businesses. One solution proposed by the European Commission can cost companies more than $1 million and take 18 months to fully implement, experts say.

That means many smaller firms are left with little choice but to wait and see — and hope that a new framework will be forthcoming.

But experts and lawmakers say that a long-term solution will require a fundamental shift in American privacy policy.

The court’s ruling, Schakowsky said during Tuesday’s hearing on the topic, “does rightly call into question the adequacy of U.S. data security practices.”

Schakowsky said she is preparing a new bill that would “require strong security standards” for personal data such as geolocation data, health records, biometric details and email and social media account information.

The measure would also require companies hit by hackers to notify their consumers of the breach within 30 days of its discovery, she added. It would join a series of similar bills that have all stalled in recent months.

“My bill would enhance data security standards here at home, and it would probably have the added benefit of making the EU more confident in U.S. privacy and data security standards,” said Schakowsky, the ranking member of the Energy panel’s Subcommittee on Commerce Manufacturing and Trade, one of the two subpanels holding the hearing.

Several lawmakers insisted Congress needs to go further.

“There’s an elephant in the room,” said Rep. Anna Eshoo (D-Calif.), and it’s the “privacy concerns relating to U.S. surveillance methods.”

“I think if we don’t really deal with this, we’ll be missing a larger point here,” added the top Democrat on the House Subcommittee on Communications and Technology, the other subpanel behind the hearing.