Skip to main content

US-EU Cybersecurity Relations: Out of the Safe Harbor and Behind the Privacy Shield

May 25, 2016


Alexander Kegel

On October 6, 2015, the European Court of Justice (ECJ) struck down the Safe Harbor law in an action that could be argued to be the single most important legislation for United States data companies with international branches in Europe. The Safe Harbor law was signed in 2000 and allowed American companies with European branches to store user data on American servers.

The decision was centered around fears over what European user data US companies might be sharing with the NSA and other US government agencies. In response to this fear, the ECJ rejected the notion that European user data should be allowed to leave Europe to be processed in U.S. data centers. Functionally, this would mean that Microsoft, Amazon, Facebook, and other international companies would be forced to process European user data in data centers in Europe.

The time and cost alone to build such data centers was motivation enough to begin negotiating a new Safe Harbor system—or what is being referred to as the US-European Union (EU) privacy shield. After a three-month hiatus, the US Department of Commerce and the European Commission agreed to once again allow companies to store European user data on American computers.

But what exactly does this privacy shield contain that makes it more acceptable to the ECJ and the European community in general? Transparency.

The Atlantic Privacy Divide

European Union law frames the issue of data privacy as a human right. In contrast, in the US, it is instead framed as being about protecting customers.

The reason for this difference in framing is because of the presence of intelligence agencies. In the case of the European Union, there is no supranational intelligence agency and, thus, for the EU, the issues around security and privacy in international agreements is different than it is for the US. Privacy for the member states is secured by the institutions of the European Union, while the member states leave sovereignty of data privacy to the individual intelligence agencies of each member states. Therefore, any decision made by the European Commission on data privacy represents a consensus has been reached by all member states.

However, the judgment of the ECJ does not exclude the recognition that a government should have the right to access user data under specific circumstances. For an understanding of the stance of the US government’s stance on privacy, look no further than the debate between the FBI and Apple over the San Bernardino shooter’s iPhone. Americans hope for a careful equilibrium between total privacy and total national security. Devices must be secure from prying by government agencies but not secure enough to protect the data of terrorists.

What We Lose Without a US-EU Data Agreement

When U.S. Secretary of Commerce Penny Pritzker presented the US-EU privacy shield agreement with the statement that “this historic agreement is a major achievement for privacy and for businesses,” this is not an exaggeration. The trade relationship between the US and the EU accounts for a major portion of world trade and the same is true of the data flow.  The U.S.-EU data flow is fifty percent higher than between Asia and the US and dwarfs the data flow between the US and Latin America by more than twice as much. The US exported $140.6 billion worth of digital services while importing $86.3 billion of similar services from EU countries. The United Nations Conference on Trade and Development estimates that the information and communication technology (ICT) sector is responsible for half of all services trade or about $600 billion of trade worldwide. Digital services between the US and the EU account for $260 billion. Without a data agreement, these trade flows become much harder to facilitate and US and EU companies suffer.

Bridging the Privacy Divide Requires Trust-building

The US Secretary of Commerce assured the press that, “we have spent more than two years constructing a modernized and comprehensive framework that addressed the concerns of the European Court of Justice and protects privacy.”  President Obama has worked since 2013 to implement several measures to enhance privacy protections against US intelligence activities regardless of nationality. The importance for Europeans in accepting American data centers is in assessing the role of the NSA and the other agencies of the U.S. government. To relieve pressure, the US Intelligence Community communicated with the European Commission on the layers of policy safeguards that are involved in intelligence operations as well as active oversight of the three branches. Most importantly for the European Commission was the possibility of judicial redress and the ability to review the privacy shield agreement every year.

Rebuilding the Safe Harbor in the Form of a Privacy Shield

The EU-US privacy shield not only benefits transatlantic commerce but further supports the strength of the relationship between the US and the EU. The relationship between the US and the EU should demonstrate solidarity in data flow and exchange of digital services. Without this digital service trade, any banks headquartered in the US would no longer be able to lend to their customers in Europe due to the inability to manage risk profiles, identity document authenticators would not be able to test passports with American software. Luckily, the US Department of Commerce and the European Commission signed the US-EU Privacy Shield agreement on February 2, 2016 transferring the Safe Harbor laws into the newly formed Privacy Shield against intrusion into user data.

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.