News yesterday that a dormant and much maligned cybersecurity bill—the Cyber Information Sharing Act—had not only resurfaced but was on a fast track towards becoming law by virtue of being appended to a large spending bill came as an unfortunate surprise for the tech sector, privacy advocates, and anyone who cares in transparent policymaking. In the last few weeks of 2015, all of Congress’s remaining legislative capacity was directed towards passing the bloated mish-mash of policies known as the “omnibus.” In theory, the omnibus is a “must-pass” spending bill (“must-pass” in the sense that signing it into law is necessary in order to fund the government) that combines a number of different appropriations bills into one, streamlining what could otherwise be a tedious effort to pass spending bills piece-by-piece. But, in what has become a commonplace practice in DC, this year’s omnibus crams in piles of unrelated legislation (more than 2,000 pages in all), effectively ensuring the passage of controversial bills that would likely have faltered if exposed to the normal legislative process, public debate, or a straightforward Presidential veto.

Ultimately, this means that groups and individuals without significant influence or lobbying power often find themselves pushed out of closed-door conversations about what unrelated bills get appended to the omnibus. While this closed process doesn’t always result in terrible legislation (the removal of anti-net neutrality riders to this year’s omnibus being a prime example of good policy emerging from the omnibus mess), when bad legislation does find its way into the omnibus, it’s almost impossible to get it out. It is through just this backwards process that the ill-fated Cyber Information Sharing Act (CISA) found its way into the omnibus and on a seemingly unstoppable course towards a Presidential signature.

CISA essentially creates a framework for companies to collect and share user data with government in a way that may circumvent basic privacy protections. While the bill is supposed to help government and industry cooperate to prevent cyber attacks like the high-profile hacks that targeted Sony, Target, and the federal Office of Personnel Management, critics argue that the bill creates more problems than it solves by jeopardizing user privacy, incentivizing companies to secretly monitor user activity, and allowing the government to obtain consumer data without a warrant. By moving CISA through the omnibus, these critics have been shut out of the recent negotiations. It’s no surprise then that the language that ultimately made it into the omnibus is worse in terms of privacy protections than other iterations of the bill.

For startups, CISA’s inclusion in the omnibus is bad for a few reasons. First, enacting significant legislation via amendment to unrelated must-pass bills limits the voice of small business in government. As this becomes more commonplace, startups who do not have the resources or relationships to participate in closed-door discussions are boxed out. Second, any bill that weakens privacy protections for user data threatens to undermine consumer confidence in Internet services. This, in turn, decreases the market for startups that provide such services. Finally, considering the European Court of Justice recently invalidated a crucial safe harbor by which US companies—startups included—were permitted to import EU consumer data precisely because of US laws that gave government access to user data without any real privacy protections, pushing a bill like CISA only threatens to make things harder for US companies operating overseas.  

As policymakers consider a variety of cybersecurity and privacy issues, it’s crucial that the startups and technologists that understand how key technologies actually work are a part of these conversations. Congress’s decision to move CISA through the omnibus spending bill is a move in the wrong direction for the startup sector’s participation in DC.

This week’s decision from the European Court of Justice (ECJ) vacating the European Commission’s “safe harbor” rule that allowed U.S. companies to quickly and easily import consumer data from European users has left many in the tech community unsure about exactly what went down and what happens next. While the ultimate impact of the ECJ’s ruling is hard to predict, the incident serves as an interesting lesson on the often poor fit between policy and technology.

What exactly happened?

Unless you’ve recently taken a course in EU civics, figuring out precisely how things got to this point and what it all means is rather difficult. To summarize: the EU’s data protection laws are more stringent than those in the much of the rest of the world—the U.S. included. Under the EU’s Data Protection Directive, data from EU citizens can only be transferred to countries that provide certain protections for said data. Recognizing that compliance with these data protection rules could create a giant bureaucratic headache for companies and countries, in 2000, the European Commission created a “safe harbor” that allowed any U.S. companies to self-certify that they complied with the Directive and thereby legally import EU consumer data into the U.S. This safe harbor rule is at the heart of the present dispute.

In 2014, an Austrian citizen filed a lawsuit in Ireland, claiming that U.S. laws permitting the NSA to surreptitiously collect and analyze vast amounts of consumer data violate the Directive. The Irish court then referred the case to the ECJ, the highest court in the EU, to consider the application of the safe harbor rule. Ultimately, this week, the ECJ held that the safe harbor doesn’t prevent individual member states from considering whether U.S. rules allowing government data collection render U.S. companies in violation of the Data Protection Directive and that the safe harbor itself fails to provide adequate data protections. With the ruling, the most commonly used legal pathway for importing EU data to the U.S. disappeared.

So what happens now?

With the rule allowing U.S. companies to import EU consumer data eviscerated, do EU-U.S. data transfers suddenly stop altogether? Did EU citizens wake up to find they couldn’t access their email accounts run by American companies? Not quite. The ruling will impact different companies in different ways.

Different legal pathways for data transfers

The safe harbor isn’t the only way that U.S. companies can import EU customer data. For example, companies can craft “binding corporate rules” (essentially, intra-company privacy policies) that, once approved by the data protection authorities in EU member states, allow for EU to U.S. data transfers outside of the safe harbor. But, since crafting such policies and getting member state approval is an arduous, time-consuming process, only large, well-funded companies can afford to explore these alternate data transfer protocols, leaving startups functionally unable to comply with data transfer rules.

Local data storage

If a company can’t legally transfer data from the EU to the U.S., the other option is to simply keep the data in Europe by building or leasing new data storage facilities overseas. Some companies, like Box and Pick1 are taking this approach, but this strategy comes at significant financial and time costs for companies, and startups operating on tight budgets may not have the resources to relocate servers or the time to develop new ways to handle foreign data.

Do nothing?

If a startup can’t find alternate legal mechanisms to import data or European data centers to handle EU data, it’s left with a difficult choice: stop handling EU customer data or continue to do so and face legal risk. The former tactic has obvious drawbacks. For one, it can be challenging to determine whether or not particular data belong to an EU-based user, rendering compliance nearly impossible. And, even if it is possible to altogether stop handling EU data, losing such a huge market will likely doom a great number of companies.

Startups could (and many probably will) simply continue business as usual and hope that they don’t get sued. A company that struggles to find the resources to establish alternative data importation frameworks or overseas servers may be too small for regulators and plaintiffs to worry about. Obviously, this isn’t a particularly comforting option for a company that wants to follow the rules. But, with such a sudden and dramatic shift in the rules, it may be the only course forward for some companies.

How long will this problem persist?

While the decision came as a surprise to many, policymakers in the EU and U.S. have been trying to shore up the safe harbor framework for a while. The ECJ’s ruling will add some urgency to their work, and U.S. and EU officials have given assurances that alternative data export pathways will soon become available. Of course, “soon” means something very different to bureaucrats than it does to entrepreneurs. And, even if the EU and U.S. can craft a new safe harbor framework, it’s unclear how these new rules will avoid the same fate as the prior safe harbor. That is, if the ECJ’s decision was predicated largely on the U.S.’s NSA-enabling legislation, any new safe harbor framework will similarly run afoul of the Data Protection Directive unless and until the U.S. passes significant surveillance reform legislation that limits the NSA’s reach. But, since a new ECJ ruling throwing out this replacement safe harbor could take several years, it may buy enough time for the U.S. or EU to craft other sensible data transfer rules.

Broader Lessons

The ECJ’s elimination of the safe harbor could pose an existential threat to some companies or it may simply end up being a temporary distraction, but it has helped crystalize a few issues facing the Internet economy. First, the notion of enforcing territorial data restrictions makes little sense in a globally interconnected digital world. Sure, national governments have an interest in making sure that their users’ data are protected, but trying to restrict the flow of information across national boundaries creates more problems than it solves, particularly for the startups that are responsible for building the global Internet. Creating insurmountable bureaucratic hurdles for companies that want to comply with their international obligations serves no one.

Second, the ruling highlights the need for surveillance reform in the U.S. Simply put, if users do not feel that their data are adequately protected, they will be less inclined to use online services—services often provided by fledgling startups. While the logic of the ECJ’s decision itself seems peculiar (if the U.S. fails to adequately protect user data because it allows the NSA to obtain authorization from FISA courts to secretly collect data, why are countries like France, Germany, and the U.K.—which do not require intelligence agencies to get court approval before collecting data for national security purposes—exempt from scrutiny? Is consumer data really any safer from NSA collection if it’s stored in the EU rather than in the U.S.?), the notion that consumer data should be protected from government surveillance is difficult to dispute.

Finally, the safe harbor fiasco is a prime example of how policy struggles to keep up with technological realities and the problems that arise when regulatory compliance becomes too complicated for otherwise upstanding companies to easily navigate. Many companies simply have no idea what they’re supposed to do while national governments try to hammer out an interim fix to data transfer rules, and even this temporary uncertainty can cause companies to go under altogether. As the Internet economy becomes ever more global, policymakers should strive to make the rules governing global commerce as frictionless as possible.