New EU privacy rules could widen the policy gap with America

Updated October 6th 2015: EUROPE'S highest court today struck down the safe-harbour agreement, arguing that "legislation permitting [American] public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life." The judges also ruled that national data-protection authorities within the EU do have the right independently to examine firms which transfer personal data across the Atlantic. In its initial statement the court did not mention a grace period that would allow companies to adapt to the ruling.

LAWYERS who specialise in data protection have been much in demand in recent days. Their clients are scrambling to understand the possible implications of a ruling expected on October 6th from the European Court of Justice (ECJ). Depending on what the continent’s highest judges decide, not only could much higher barriers be erected to the flow of data from the EU to America, but a serious transatlantic row could be brewing over privacy and data protection in the digital world.

The questions before the court relate to the so-called safe-harbour pact between the EU and America negotiated in the late 1990s. It was an attempt to bridge deep cultural and political differences regarding online privacy: the EU sees protection of personal data as a fundamental human right; America considers it mainly in terms of consumer protection, which allows trade-offs and exceptions when national security seems to be under threat. The pact allows firms to export data from the EU to America if they provide safeguards equivalent to the requirements of the EU’s data-protection directive, including giving people the right to opt out of data collection and an undertaking not to pass personal information to third parties that do not follow such rules (hence “safe harbour”).

Privacy activists have never liked the pact’s reliance on self-certification. Firms can draw up a privacy policy and call themselves compliant, which nearly 5,500 have done. In late 2013 the European Commission published a list of the scheme’s “deficiencies”, including firms that falsely claim they follow the rules, incomprehensible privacy policies and lame enforcement by America’s Federal Trade Commission. Still, politicians and even many data-protection officers kept mum as European data mounted up in American data centres—until Edward Snowden, a contractor for America’s National Security Agency (NSA), leaked secret intelligence documents. Europeans were particularly shocked by PRISM, an NSA programme to collect data from big internet firms. Arguing that this sort of surveillance meant Facebook was unable to protect his privacy, Max Schrems, an Austrian campaigner, filed a complaint against the social networking site in Ireland, its European base. When the Irish data-protection authority said it did not have the authority to second-guess the European Commission which, by signing the safe-harbour pact, had decided that America’s data-protection rules were adequate, Mr Schrems took his complaint to the Irish High Court, which referred it to the ECJ.

The case, hitherto of interest mainly to privacy wonks, made headlines on September 23rd when the court’s advocate general, Yves Bot, published a strongly worded opinion siding with Mr Schrems—and going even further. National data-protection authorities had the right to make their own assessments of American firms’ privacy safeguards, he argued, adding that America’s data-protection rules are inadequate and the safe-harbour pact should be suspended. “The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data,” he said in a statement.

The court does not always follow the advocate general’s opinion. And it usually takes several months to hand down a decision. But in this case it seems to have felt the need to move quickly—which has given rise to speculation. Some say the judges want to end the uncertainty created by Mr Bot; others, that they want to put pressure on the American government and European Commission to wrap up a renegotiation of the safe-harbour pact, which has been dragging on for almost two years. Opinions about the outcome are equally split. Nick Graham of Dentons, a law firm, expects a narrow ruling on whether national data-protection authorities may make their own assessments; Eduardo Ustaran of Hogan Lovells, another law firm, thinks the court may strike down the safe-harbour pact altogether—perhaps even without a grace period for firms to adapt.

Abrupt change would be the worst outcome for firms that rely on the safe-harbour pact for their digital transfers. They include not just online firms that, for example, crunch user data to target ads, but low-tech ones that simply send home payroll data and the like. Both would have to scramble to find another legal basis for their data transfers. They might be able to use “model contracts” developed by the European Commission for providers of cloud services and their customers. But these are much more onerous than safe-harbour rules. Meanwhile, activist national data-protection officers are likely to launch their own investigations into privacy practices of American firms.

A far-reaching decision would probably throw a spanner into the safe-harbour renegotiation. Insiders say that agreement has been reached on 11 of the 13 points raised by the EU, including on the publication of privacy policies, making it easier for consumers to get their complaints resolved and carrying out spot checks of firms’ privacy practices. The sticking points relate to access by American government authorities: the Commission wants the national-security exception to safe harbour to be used “only to an extent that is strictly necessary or proportionate”.

Negotiators seem to have hoped that the court would delay its decision until they had reached agreement. But if the judges take a tough line, it will be hard for the Commission to compromise on the activities of America’s security services. The American government may be even less willing to make concessions: in a testy statement the United States Mission to the EU, effectively the American embassy in Brussels, responded to the advocate general’s opinion by saying that America “does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens”.

The ruling could also be an excuse for the American Congress not to pass the Judicial Redress Act, a pending piece of legislation to allow EU citizens to sue in American courts if they think their privacy has been violated. That in turn would undermine another privacy-related deal reached in September called the “Umbrella Agreement”, which deals with the exchange of personal data between law-enforcement agencies on either side of the Atlantic. The Commission has said it will only sign once the Judicial Redress Act has become law.

Plans to update the EU’s 20-year-old data-protection directive and to harmonise regulation across the continent are likely to widen the privacy gap with America even further. The current draft would require firms, for example, to develop products with privacy in mind and appoint independent data-protection officers, much like risk officers in banks. Violations could lead to fines of up to 2% of worldwide revenues. After Mr Snowden’s revelations, several countries, including Brazil and more recently Russia, passed laws requiring data to be stored locally, and put up other virtual data barriers. Many are symbolic and impractical. But the danger is that a long fight over privacy between the EU and America could lead to the balkanisation of the internet.