The Safe Harbor Pact: A Disconnect Between the US and the EU
US and EU officials avoided a potential major disruption when they agreed to new terms for a digital “Safe Harbor Pact” that allows US companies to move data on European customers back and forth between Europe and America.
Failure to reach an agreement could have had dire consequences to Trans-Atlantic e-commerce, internet access to particular websites, and even internal corporate networks.
Europe and the US have very different laws about the privacy of online information, and European rules provide much greater protection to consumers than the US rules.
The Safe Harbor Pact, which operated for 15 years, allowed US companies to “self-certify” that they provided the required privacy protection for EU citizens. Companies that self-certified in this way could register on a list of “Safe Harbor” organizations.
In October, 2015 the European Court of Justice threw out the Safe Harbor Pact, citing, among other things, Edward Snowden’s revelations about the US National Security Agency’s “Prism” program that accessed mountains of personal data for intelligence purposes.
My earlier post, How an Austrian Student Gave 4,500 US Companies a Privacy Headache, explains how a complaint filed by a then-24-year-old Austrian studying at Santa Clara University School of Law in California led to the collapse of the pact.
Without the protections afforded by the pact, many online providers would have had to stop transferring information on European customers to servers in the US — or risk getting in trouble with European regulators. While large companies such as Facebook and Google could presumably afford to isolate European customers on European servers, it might be much tougher for smaller companies that can’t justify a physical presence in Europe.
As reported by the NYTimes, after the court threw out the existing Safe Harbor Pact in October regulators were given until the 31st of January to come up with a new agreement. Failure to reach an agreement would have meant individual European countries would start enforcing their privacy laws against digital operators based in the US but serving clients in Europe.
The deadline was missed, but a deal was hammered out on February 2 — one day before European regulators were going to take action.
Just As Good?
American negotiators tried claiming that US rules were very similar to European rules. An earlier New York Times article, written when the negotiators missed the deadline, shows the Europeans didn’t buy that argument:
“That assessment just isn’t true,” said Jan Philipp Albrecht, a German politician who has called for stronger data protection rules. “There’s a massive difference over how this issue is treated in Europe compared to the U.S.”
The Europeans still have a number of concerns about the deal — especially whether written guarantees that US intelligence agencies will not have indiscriminate access to European data will appease privacy-rights groups.
As it currently stands, the deal only provides a little breathing room — there are still hurdles to be overcome before it’s finalized as law. The deal has to be approved by the EU’s 28 member states and the individual national data protection regulators have yet to weigh in. It’s also expected that European privacy rights groups will file lawsuits to try and block the deal.
If the deal gets approved by the EU member states, and survives or beats back any legal challenges, it’s expected to take effect in April. In the meanwhile, US companies may continue to work with European customers and website visitors.