In last week’s blogpost we talked about the significance of transatlantic data flows in the 21st century. We showed what kind of benefits the international data exchange brings to both sides as well as what potential risks and challenges it might hold. At our Berlin Event on Tuesday we collected input from a number of prominent voices on the topic and held a highly successful panel discussion on how to develop an ideal transatlantic data flow system for the future. This week we want to look at the topic of transatlantic data flows again, this time though in a less abstract, less theoretical light. We want to explore, what the state of play regarding data flow between the EU and the US is right now. What regulatory systems are in place, who profits from them and what are the immediate developments we can expect in this relationship.
“Safe Harbour” – The Dos and Don’ts of Transatlantic Data Transfers
The system currently in place to govern transatlantic data flows is the Safe Harbour agreement. Introduced and verified by European courts in 2000 this set of rules and principles effectively works as a list of “dos and don’ts” for American businesses as regards to European data.
American companies who want to transfer data of European users or customers to the US first have to join the agreement, promising to uphold the agreement’s principles and provide a strong form of data protection and administration comparable to the European standards. The Principles also set limitations on the use of people’s personal data. The company has to explicitly declare what the data might be used for and cannot give over the data to 3rd party entities, who do not also fulfil the Save Harbour requirements.
Over the years this system has come more and more under criticism however. From the start since its implementation European observers have had a hard time controlling for actual compliance and enforcement from US companies. Special US national security laws furthermore allow for the collection of data even without explicit notification, effectively bypassing the agreement. Finally with the Snowden revelations, the Prism scandal now seems to have dealt a final death blow to the systems former confidence, leaving a German Data Protection Agency to say the agreement, at this point, would be worth “about as much as the paper it was printed on”.
The “GDPR” – Building a Unified Rulebook for European Data Protection
As a result, in 2013 the European Commission announced that the agreement would undergo a thorough review and improvement process on several points. The US especially is now interested in finishing these renegotiations as quickly as possible. And it has good reasons to do so. On the one hand there is a lawsuit currently before the European Court of Justice. The outcome could potentially give European member states the authority to look behind the court’s 2000 ruling on the agreement’s validity, handing them the possibility to scrutinize or even reject the existing framework. Whether the US and EU will come to a new agreement before the court’s ruling at the end of June is questionable though.
On the other hand, the US knows that the EU’s review of the Safe Harbour agreement is only one aspect of a larger debate within the European Commission and Parliament. With the continuous stream of surveillance related news items in European media and the protection of personal data more present than ever in people’s minds, the EU Parliament in March 2014 voted in favour of a comprehensive reform of existing European data protection law. The new European system, called the General Data Protection Regulation (GDPR), shall unify the patchwork rug of individual EU member state laws presently dictating the EU’s data protection standards. Many voices in Europe now call for so called data localisation regulations to be included in GDPR. Such regulations would require businesses to store data only in the country where the user is located – a policy the US wants to avoid at all costs. Achieving a renewed, refined Safe Harbour 2.0 agreement as soon as possible could take the wind out of the data localisation proponent’s campaign.
How TiSA and TTIP Further Fuel the Debate
European fears, of a US government trying to avoid stricter regulations on cross-border data transfers and data protection at all costs, are not entirely unfounded however, as evidenced by the leaked documents of on-going negotiations on the planned “Trade in Services Agreement” TiSA. The American negotiating mandate for the proposed agreement to lower burdens between the service sectors of 50 different states – including the US and all EU member states – directly states that governments should not have any power to stop companies from transferring data across borders and out of the domain of the user, even if said company does not have any physical branch in the users country. Legally that would mean that any company that did not have a branch in the EU and transferred data out of the EU would not be bound by any European data protection laws, be it the laws of the users’ own country or the now proposed EU wide GDPR laws. Similar talks about possible data protection loop holes in the much more discussed TTIP agreement have been rebutted by statements of both the European Commission as well as the US side that the domains of data transfers and data protection would not be touched upon under the Free Trade Agreement.
We have shown last week that the flow of data between the EU and US brings with it enormous growth and benefits for both sides’ economies. A policy of strict data localisation would thus have large economical costs and cannot be seen as an ideal solution. Similarly Europeans are definitely not wrong to fear for their user rights under American mega companies or government surveillance. The establishment of a unified and extensive GDPR framework for European data protection standards, which includes critical points such as the right for consumers to have their data “forgotten”, is a good and necessary first step. The EU should then be very careful in its negotiations both on a renewed Safe Harbour agreement, as well as, on a possible TiSA deal, to ensure the requirement to commit to European data Standards for data originated in an EU member state even outside of the EU remains intact. In the end a unified European data standard and a revised Safe Harbour 2.0 system for data flows to the US might not represent an ideal case solution, but it would certainly be an improvement on the current situation and right now it looks like the most realistic option people can hope for if trade in services shall continue to bring big benefits to both sides.
With the words of immortal modern day poet Mick Jagger: You can’t always get what you want, but if you try sometimes well you just might find, you get what you need…