The Transatlantic Privacy War: A Guide

The Transatlantic Privacy War: A Guide

The cold war around data privacy just turned into an open conflict.  On October 6, the European Court of Justice struck down the “Safe Harbor” agreement between the United States and the European Union.  For the past fifteen years, Safe Harbor was the only protection technology businesses had from data privacy zealots in the EU who threatened to undo the portability of information on the internet.  Now that protection has vanished.  How did we get here, and what will happen next?

The debate over data privacy has been a subject of tension between the US and the EU for decades.  At its core, it is a difference of political philosophy.  For Americans, privacy is what political science professors call a “positive freedom”.  That is, privacy is a form of liberty.  Supreme Court Justice Louis Brandeis famously called it “the freedom to be left alone”.

For Europeans, privacy is a “negative freedom”.  Personal data must be protected against external intervention, keeping the power of information firmly in the hands of the individual.  Hence the European focus on the ownership of data, most memorably expressed as the “right to be forgotten”.

Enter Max Schrems, an Austrian privacy activist. Schrems brought a case before the European Court of Justice claiming that Irish authorities lacked the ability to adequately safeguard the information contained in his Facebook profile.  Schrems won his case on the theoretical ability of American government agencies to monitor Facebook’s Irish servers – he had no evidence or proof of any actual wrongdoing.  The court struck down Safe Harbor because there was a possibility that Schrems would lose control over his data.  The fact that he voluntarily provided his data to Facebook in the first place is beside the point – the ruling states that “insufficient protection” is the issue.

Up to this point, European courts issued smaller nuisance rulings on privacy matters.  They said that buildings in Germany had to be erased on demand from Google Street View because homeowners deserved to protect the sight of their residences.  They required that tech firms automatically erase information on timetables dictated by complicated local statutes.  In each case, compliance was a costly chore but ultimately feasible.

This ruling, however, is far more destructive and far-reaching.  The tech industry relies on free transfers of data across jurisdictions as part of its core business strategy.  This is what makes cloud computing economically viable.  Up to this point, those transfers have assumed an American understanding of data privacy.  The end of Safe Harbor ushers in the possibility that tech businesses will also have to take European privacy norms into account, including the “citizenship” of data, where data is stored and transmitted, and how data processing can be undone.

While this may be a step forward for people who want to control their own information, it is an operational disaster for companies who rely on a globally distributed infrastructure to process that information.  Businesses hate uncertainty – this ruling has thrown the legal and cultural underpinning of every transatlantic data transfer into doubt.

Government officials on both sides express their determination to forge a new deal, but doing so will be extremely difficult.  Two years of negotiations designed to replace Safe Harbor have resulted in nothing but frustration and deepening mistrust on both sides.  The court’s ruling made a tough job even tougher by negating the status quo as a fallback position and basis for negotiation.  The accusations, recriminations, and legal wrangling will likely get worse before the situation stabilizes.

The technology industry is caught in the middle, without clear direction or solid legal basis for action.  In the absence of a clear path forward, tech firms have to plan for the worst (a balkanized system of local privacy fiefdoms) while advocating for something better (a new accord which resets the rules and provides a predictable legal framework).  The privacy war has begun, and unfortunately the technology industry already shows signs of being its first casualty.