To paraphrase George Bernard Shaw: 'Europe and America are two powers divided by a common desire for privacy.’ The difference in our respective approaches to the protection and sharing of personal data may not have been significant for the best part of the last two centuries, but the explosion of the World Wide Web means that data can whizz around the ether unfettered. This cross-border data-sharing has implications for all users, as consumers or as suppliers. In 2000, the Safe Harbor agreement came into force. This was an agreement between the United States Department of Commerce and the European Union that regulated the way that U.S. companies could export and handle the personal data of European citizens. It was an attempt to smooth the legal bumps in the passage of data between the EU and U.S., and to stimulate the international reach of major tech companies. So far, so good: However, Safe Harbor relied upon stated guarantees of parity between two diverse legal systems and cultures, which subsequent revelations showed could not be fulfilled.
End of Safe Harbor
When the European Court of Justice (ECJ) ruled on Oct. 6, 2015 that the Safe Harbor agreement was no longer valid, the supply of Software as a Service (SaaS) across international borders was thrown into confusion. Suddenly, thousands of organizations, including clients of my own growing software business, find themselves facing possible prosecution under local data protection laws if personal data is sent outside the EU. For example, one client who uses Facebook competitions to attract and retain supporters is no longer able to ask winners to message their address for prizes. Why? Because they would be requesting personal data to be sent to them through Facebook, thus potentially exposing it to a cross-border server.
The disruption to EU-based users is substantial. Market leading cloud tools for day-to-day business management, including development environments, Voice over Internet Protocol calls, email marketing, community building, client support and sales management, tend to be U.S.-based. Client and contact information held within account databases cannot be guaranteed to remain in the EU: This is technically a data breach. Do we continue to use familiar systems, or seek alternatives?
If it’s a problem for users, it’s a huge headache for tech firms. A Reuters report suggests that over 4,000 firms, including the likes of IBM, Google, Ericsson, Facebook and Apple, relied on Safe Harbor for the smooth delivery of services to the EU. IBM is quoted as saying that the ruling has “created commercial uncertainty and jeopardized the flow of data across borders.” Closer to home, my company was lucky enough to win a high value of hosting credits at a South by Southwest (SXSW) contest last year. This would have enabled us to host our software and our clients’ data for free, a significant reduction in overheads for a growing business. On the eve of transferring our data, we discovered the credits only applied to the U.S. servers, not to the U.K. locations. We stopped the transfer and kept our data U.K.-based to serve the needs of our current clients. Now we’re dealing with different security requirements from prospective U.S. clients who insist we manage their data within the U.S. under federal law. Confused? So are we!
Why are US and EU laws so different?
On the face of it, you’d expect U.K. and U.S. laws, at least, to be very similar. After all, the American Constitution has its roots in English Common Law. How have we diverged so greatly? The answer is found in one major historical event and its legacy: the Second World War. After the war, the Council of Europe was formed, and in 1949 work began to develop the European Convention on Human Rights (ECHR). Few people would disagree that human rights were devastatingly compromised during the war, and the ECHR is a very strong declaration in favor of democracy, freedom, and the rights of the individual. In 2009, the European Charter of Fundamental Rights combined the ECHR and individual pieces of legislation from different states into one Charter; this is legally binding on all states in the EU. The right to personal privacy is explicit. This blanket protection is the starting point for regulation in Europe, with subsequent case law allowing limited access to personal data.
At the opposite end of the scale, U.S. privacy rights have developed through the natural evolution of common law, against the background of the right to free speech and freedom of the press, as enshrined in the Constitution and First Amendment. While the common law tort of invasion of privacy grants the individual “full protection in person and in property,” it has been applied on a case-by-case basis, and as both society and technology have developed the legislation has been trying to keep up with new contexts of privacy. The race to stay abreast of such developments is demonstrated by this influential 125-year-old response to aggressive journalism and new-fangled photographic technology: “The Right to Privacy,” by Warren and Brandeis, published in the Harvard Law review in 1890.
Modern tort law, evolving since Warren and Brandeis, protects from ‘intrusion of solitude, public disclosure of public facts, false light, and appropriation.’ Federal law places limits on government intrusion, and individual states have added other protection piecemeal. This complexity of legislation is nicely summed up from an external viewpoint by Practical Law in their comprehensive guide for U.K. exporters, where they describe a “patchwork system of federal and state laws, and regulations that can sometimes overlap, dovetail and contradict one another.”
In the EU, something is private unless declared otherwise: In the U.S., privacy is an inalienable right, but invasion of such privacy is defined sector-by-sector and case-by-case. This weighty EU study, “A comparison between US and EU data protection legislation for law enforcement purposes,” makes it very clear that “the approach to data sharing is fundamentally different.”
Google and the right to be forgotten
In the U.S., citizens can and do challenge data protection breaches, but national security interests may prevail as a general rule. EU citizens have no right to challenge privacy violations in the U.S., although the opposite is true. EU citizens can mount legal challenges to privacy violations wherever they occur, whether this is a mistake by your HR department, unwanted contact from a vendor, a lost government laptop, or a national law enforcement agency investigation. National security interests do override certain challenges, but on a strict case-by-case basis.
One of the most high-profile examples of privacy law discrepancies, which pre-dates the end of Safe Harbor by a year and a half, is the EU’s “Right to be forgotten” campaign against Google. The European Court of Justice (ECJ) ruled in May 2014 that Google had a responsibility to delete links concerning old, irrelevant, misleading personal information. By November 2015, Google confirmed that they had received almost 350,000 requests to remove 1.2 million URLs from search results. Google fought hard, arguing that a search engine should not be the arbiter of privacy, but the ECJ prevailed in its interpretation of fundamental rights. Enforcing a similar right would be unthinkable in the U.S.: This discussion in the New York Times suggests such action would violate the First Amendment.
Will Snowden’s revelations undermine agreement or force convergence?
The final straw for Safe Harbor was PRISM, the clandestine surveillance program run by the NSA that collects internet communications from at least nine major US internet companies. Although President Obama described this, when visiting Germany in 2013, as “a circumscribed, narrow system directed at us being able to protect our people,” online data from across the world does tend to pass through the hands of U.S. internet companies. The protection of U.S. citizens, therefore, comes at the expense of the rights that non-U.S. internet users expect under their own sovereign legislation. The Edward Snowden revelations on PRISM prompted Austrian privacy activist Max Schrems to start his actions against Facebook, ultimately triggering the ECJ ruling on Safe Harbor, rendering the agreement unworkable.
The new agreement which aims to fill the Safe Harbor vacuum was published on Feb 2, with the details due to be released by the end of the month. The “Privacy Shield” refers to “strong obligations” on companies that handle the personal data of EU citizens, coupled with “robust enforcement” and “clear safeguards and transparency obligations” on US government agencies. The US has “ruled out indiscriminate mass surveillance” on European personal data transferred to the US, although exceptions to this rule are already emerging.
Unfortunately, there are already grave doubts that this shield will hold. Max Schrems, speaking in New York on Feb 22, called for a stable agreement rather than a quick fix. It’s becoming apparent that the EU stance of personal privacy as a comprehensive ideal may be more cultural than practical. National surveillance policies in individual states don’t necessarily measure up to the more stringent EU requirements, suggests this Politico article. For example, Snowden’s later revelations claim that agencies such as the U.K.’s Government Communications Headquarters (GCHQ) are already conducting US-style surveillance. Furthermore, the U.K. government slid its new Investigatory Powers bill into parliament late last year, as reported here in The Conversation. This attempt to ban end-to-end encryption is making its slow progress towards legislation; if enacted, this policy could cause more upheaval than the loss of Safe Harbor.
The fallout over the end of Safe Harbor has been well documented elsewhere; this Fortune article sums up the whole intractable problem nicely. Given the current focus of our respective constitutions, it looks as if there’s little hope of convergence or of reaching a practical and stable agreement along current lines.
However, I’d argue that Snowden’s revelations demonstrate there is, in the end, little difference in the practical application of data sharing, or data surveillance, state-by-state. Maybe our lawmakers need to be less sensitive, and recognize that the advantages of cross-border trade and technology outweigh our fundamental privacy concerns.