I did not think my first post here would be on trans-Atlantic data privacy, but this morning I read that the European Court of Justice struck down the so-called “Safe Harbor” provisions that governed data privacy rights of the European customers of American companies. As the TechCrunch article explains:
The Safe Harbor executive decision dates back to 2000, and allows U.S. companies to self certify to provide “adequate protection” for the data of European users to comply with the European data protection directive, and with fundamental European rights such as the right to privacy (under Article 8 of the European Convention for the Protection of Human Rights).
In a strange coincidence, my first published work was on this exact topic, back in 2004. The problem, in a nutshell, is that the U.S. and E.U. have different standards for what businesses can do with the personal information you provide them. In Europe, data privacy is governed by a directive issued in 1998 that harmonized privacy rules among the E.U. member-nations and forbade transfer of consumers’ data outside the E.U. into any country that had inadequate privacy protections. In the E.U., a consumer must explicitly grant a company permission to share his data. In the U.S., companies may share consumers’ data unless the consumer explicitly opts-out. (You’ve probably received a notice like this one from your credit card companies: that’s because of this issue.)
This difference in the laws, among other things, caused the problem of E.U. regulators saying that the U.S. did not have adequate data privacy protection. By agreeing to let American companies self-certify that they were in compliance with the U.S laws, they were essentially considered in in compliance with the E.U. directive, and cross-border trade was allowed to continue. A lawsuit against Facebook by an E.U. citizen opened a crack in this protection when Europe’s highest court ruled that the Safe Harbor could not prevent suits against companies that fall short of E.U. privacy rules.
Back in 2004, I argued that the U.S. should adopt data privacy rules closer to those of Europe. We didn’t, and the Safe Harbor has worked as a temporary solution ever since. That solution has seemingly crumbled, and regulators must either come up with another E.U.-wide solution that will pass judgment with the ECJ, or else leave U.S. companies to deal with the varying privacy laws of the 28 E.U. member-states, an expensive and time-consuming proposition.