October 7, 2015
The Broad Implications of the Newly Invalid US-EU Data Pact
Exposure to lawsuits from data breaches and other failures to protect privacy are part and parcel of digital commerce. For global companies, the exposure of lawsuits in multiple jurisdictions with differing standards is a potential impediment to the free-flow of data and effective global competition. Unfortunately, the European Court of Justice (ECJ), the highest European court, has thrown a wrench in the system by invalidating the “Safe Harbor Provision,” which granted free flow of information between the U.S. and the Europe.
The EU Court’s decision puts transatlantic digital trade into turmoil. For the thousands of U.S. businesses and the millions of jobs that rely on this agreement as a means of moving information, this development will be costly. But more importantly, the ECJ has just taken a massive step towards balkanizing the Internet and freezing digital competition.
What is the “Safe Harbor Provision?”
In 1995, the European Economic Area (EEA), which included the 28 EU Member States, established a legal framework for privacy and cross-border data transfers, which limited European data from being transferred to the United States. From 1998 to 2000, the European Union worked with the U.S. to hammer out the Safe Harbor provision, allowing companies to transfer information in and out of the EEA without fear of European lawsuits. Up until yesterday, U.S. companies could self-certify through the U.S.-EU Safe Harbor program administered by the Department of Commerce. Over 4,000 companies self-certified through this program, including the largest players in the Internet ecosystem, as well as small and medium sized companies that have a presence in Europe.
What Happened and What’s Next
The Court offered a litany of reasons for the decision, but failed to provide guidance on a way forward. One concern of the ECJ is that the Safe Harbor program ultimately compromises “the essence of the fundamental right to effective judicial protection.” This issue could be addressed by legislation that allows for these cases to be brought in U.S. courts. The ECJ also said that the program doesn’t protect “the essence of the fundamental right to respect for private life.” Given that, it is unclear that any privacy regime, other than those directly copying the EU, would actually suffice to protect this right in the eyes of the courts.
As a practical matter, this means that U.S. companies will have to localize data on European servers and limit transfers of data between the U.S. and the EU, thus fracturing the open Internet. This will also ensure that the biggest players in the tech economy remain at the top without competition from newcomers since the compliance costs of this new and complicated legal regime will hinder startups.
The impact on digital trade is sure to be significant. In 2012, the U.S. exported “$140.6 billion worth of digitally deliverable services to the EU and imported $86.3 billion worth,” for a total of $227 billion. As a result of the court case, all of the services enabled by cross-border data flows will become more expensive. U.S. companies that connect to offices in Europe or have research networks in the region will have to adjust. The free flow of data enabled by the Safe Harbor allows geographically diverse businesses to source supply chains that span the Atlantic, but now this task just became even more costly. European businesses may even be compelled to remove information from U.S.-owned cloud services, even if that information resides on European soil.
The court decision also just placed a massive strain on broader trade agreements between the two economic powerhouses. The United States and the EU account for a third of all world trade and nearly half of global economic output, while 13 million U.S. jobs depend on this trade and investment.
Yesterday’s court decision is bad news for everyone. The Internet has been a positive economic and social force because of its openness, but the court decision just took everyone a step back. While digital trade will surely suffer, this case might just be a prelude to the new privacy law that EU regulators are readying. Considering the line of bad policy coming out of the EU, what is coming next might be even worse.