The U.S. technology sector received a surprise jolt in October when the European Court of Justice struck down the Safe Harbor Framework, setting off a scramble to accommodate this sudden shift in privacy regulations. The framework was established in 2000 to provide guidance on how companies could transfer customer information between the EU and the U.S., while maintaining the customer’s right to privacy. The idea was that U.S. businesses were Safe Harbor compliant as long as they kept data belonging to EU citizens as secure as it would be in Europe, enabling them to store that data outside of the EU.
Ultimately, the person responsible for starting the chain of events that resulted in the end of Safe Harbor is Edward Snowden, the former National Security Agency (NSA) contractor who leaked classified documents exposing the NSA’s mass surveillance activities. The EU responded very negatively to the Snowden revelations in general, but the specifics of the NSA’s PRISM program in particular form the core of the legal argument against Safe Harbor. The European Court of Justice decided that the NSA’s ability to access customer data en masse and at will from Internet companies meant that European citizen’s data was not adequately protected in the United States. Privacy is held as a fundamental right under Article 8 of the European Convention for the Protection of Human Rights. As a result of the European court ruling, transfers of customer data between the EU and the U.S. will need to stop, but private companies have been given several months to find alternate arrangements before any punitive measures go into effect.
The question now is, what will happen next? Currently, there are negotiations occurring between the U.S. and the EU to try and establish a “Safe Harbor 2.0,” but there are still significant concerns on the European side about the surveillance capabilities of the U.S. government. There is also some frustration on the American side, as some critics have pointed out that several EU member states have more invasive surveillance programs than the U.S., but those nations are not being economically penalized for it. However, all this controversy may be rendered moot in the next year.
The European Commission is planning to adopt a General Data Protection Regulation in late 2015 or early 2016, which would unify all member state data protection legislation under a single law. If it is adopted on schedule, this new regulation would go into effect in 2017. While unifying the various European data protection regimes under one set of systems would be more efficient, it also means that the new regulation will supersede both Safe Harbor and any forthcoming agreements. Additionally, there are concerns that it will be more restrictive than many current laws, and that it could have an adverse effect on member state economies. The full effects of the General Data Protection Regulation are unclear, but U.S. companies will need to keep a watchful eye in order to avoid being blindsided once again.
Luke Penn-Hall is the Cyber and Technology Producer at The Cipher Brief.
