This week’s decision from the European Court of Justice (ECJ) vacating the European Commission’s “safe harbor” rule that allowed U.S. companies to quickly and easily import consumer data from European users has left many in the tech community unsure about exactly what went down and what happens next. While the ultimate impact of the ECJ’s ruling is hard to predict, the incident serves as an interesting lesson on the often poor fit between policy and technology.
What exactly happened?
Unless you’ve recently taken a course in EU civics, figuring out precisely how things got to this point and what it all means is rather difficult. To summarize: the EU’s data protection laws are more stringent than those in the much of the rest of the world—the U.S. included. Under the EU’s Data Protection Directive, data from EU citizens can only be transferred to countries that provide certain protections for said data. Recognizing that compliance with these data protection rules could create a giant bureaucratic headache for companies and countries, in 2000, the European Commission created a “safe harbor” that allowed any U.S. companies to self-certify that they complied with the Directive and thereby legally import EU consumer data into the U.S. This safe harbor rule is at the heart of the present dispute.
In 2014, an Austrian citizen filed a lawsuit in Ireland, claiming that U.S. laws permitting the NSA to surreptitiously collect and analyze vast amounts of consumer data violate the Directive. The Irish court then referred the case to the ECJ, the highest court in the EU, to consider the application of the safe harbor rule. Ultimately, this week, the ECJ held that the safe harbor doesn’t prevent individual member states from considering whether U.S. rules allowing government data collection render U.S. companies in violation of the Data Protection Directive and that the safe harbor itself fails to provide adequate data protections. With the ruling, the most commonly used legal pathway for importing EU data to the U.S. disappeared.
So what happens now?
With the rule allowing U.S. companies to import EU consumer data eviscerated, do EU-U.S. data transfers suddenly stop altogether? Did EU citizens wake up to find they couldn’t access their email accounts run by American companies? Not quite. The ruling will impact different companies in different ways.
Different legal pathways for data transfers
The safe harbor isn’t the only way that U.S. companies can import EU customer data. For example, companies can craft “binding corporate rules” (essentially, intra-company privacy policies) that, once approved by the data protection authorities in EU member states, allow for EU to U.S. data transfers outside of the safe harbor. But, since crafting such policies and getting member state approval is an arduous, time-consuming process, only large, well-funded companies can afford to explore these alternate data transfer protocols, leaving startups functionally unable to comply with data transfer rules.
Local data storage
If a company can’t legally transfer data from the EU to the U.S., the other option is to simply keep the data in Europe by building or leasing new data storage facilities overseas. Some companies, like Box and Pick1 are taking this approach, but this strategy comes at significant financial and time costs for companies, and startups operating on tight budgets may not have the resources to relocate servers or the time to develop new ways to handle foreign data.
Do nothing?
If a startup can’t find alternate legal mechanisms to import data or European data centers to handle EU data, it’s left with a difficult choice: stop handling EU customer data or continue to do so and face legal risk. The former tactic has obvious drawbacks. For one, it can be challenging to determine whether or not particular data belong to an EU-based user, rendering compliance nearly impossible. And, even if it is possible to altogether stop handling EU data, losing such a huge market will likely doom a great number of companies.
Startups could (and many probably will) simply continue business as usual and hope that they don’t get sued. A company that struggles to find the resources to establish alternative data importation frameworks or overseas servers may be too small for regulators and plaintiffs to worry about. Obviously, this isn’t a particularly comforting option for a company that wants to follow the rules. But, with such a sudden and dramatic shift in the rules, it may be the only course forward for some companies.
How long will this problem persist?
While the decision came as a surprise to many, policymakers in the EU and U.S. have been trying to shore up the safe harbor framework for a while. The ECJ’s ruling will add some urgency to their work, and U.S. and EU officials have given assurances that alternative data export pathways will soon become available. Of course, “soon” means something very different to bureaucrats than it does to entrepreneurs. And, even if the EU and U.S. can craft a new safe harbor framework, it’s unclear how these new rules will avoid the same fate as the prior safe harbor. That is, if the ECJ’s decision was predicated largely on the U.S.’s NSA-enabling legislation, any new safe harbor framework will similarly run afoul of the Data Protection Directive unless and until the U.S. passes significant surveillance reform legislation that limits the NSA’s reach. But, since a new ECJ ruling throwing out this replacement safe harbor could take several years, it may buy enough time for the U.S. or EU to craft other sensible data transfer rules.
Broader Lessons
The ECJ’s elimination of the safe harbor could pose an existential threat to some companies or it may simply end up being a temporary distraction, but it has helped crystalize a few issues facing the Internet economy. First, the notion of enforcing territorial data restrictions makes little sense in a globally interconnected digital world. Sure, national governments have an interest in making sure that their users’ data are protected, but trying to restrict the flow of information across national boundaries creates more problems than it solves, particularly for the startups that are responsible for building the global Internet. Creating insurmountable bureaucratic hurdles for companies that want to comply with their international obligations serves no one.
Second, the ruling highlights the need for surveillance reform in the U.S. Simply put, if users do not feel that their data are adequately protected, they will be less inclined to use online services—services often provided by fledgling startups. While the logic of the ECJ’s decision itself seems peculiar (if the U.S. fails to adequately protect user data because it allows the NSA to obtain authorization from FISA courts to secretly collect data, why are countries like France, Germany, and the U.K.—which do not require intelligence agencies to get court approval before collecting data for national security purposes—exempt from scrutiny? Is consumer data really any safer from NSA collection if it’s stored in the EU rather than in the U.S.?), the notion that consumer data should be protected from government surveillance is difficult to dispute.
Finally, the safe harbor fiasco is a prime example of how policy struggles to keep up with technological realities and the problems that arise when regulatory compliance becomes too complicated for otherwise upstanding companies to easily navigate. Many companies simply have no idea what they’re supposed to do while national governments try to hammer out an interim fix to data transfer rules, and even this temporary uncertainty can cause companies to go under altogether. As the Internet economy becomes ever more global, policymakers should strive to make the rules governing global commerce as frictionless as possible.