The Collapse of the US-EU Safe Harbor: Solving the New Privacy Rubik’s Cube

October 20, 2015

When people who care about technology look back at the year 2015, they will remember October as the month when the EU-US Safe Harbor collapsed. An international legal agreement that has been in place for 15 years was invalidated in a single day. On 6 October, the Court of Justice of the European Union struck down an international legal regime that over 4,000 companies have been relying upon not just to move data across the Atlantic, but to do business and serve consumers on two continents with over 800 million people.

The decision made clear what many have been advocating for some time: Legal rules that were written at the dawn of the personal computer are no longer adequate for an era with ubiquitous mobile devices connected to the cloud. In both the United States and Europe, we need new laws adapted to a new technological world.

As lawyers and officials scurry to assess the situation, it’s apparent that both a variety of smaller steps and a more fundamental long-term change will be needed. We need to focus on both of these aspects.

It’s important to focus on a wide variety of steps, especially given the potentially drastic ripple effects caused by the collapse of the US-EU Safe Harbor. Government officials in Washington and Brussels will need to act quickly, and we should all hope that Congress will enact promptly the Judicial Redress Act, so European citizens have appropriate access to American courts. In addition, companies like our own that have put in place additional safeguards such as the EU Model Clauses will rely on and add to them, even while everyone discusses additional measures.

But for the sake of the long-term we should also recognize some obvious and fundamental facts. We need solutions that will work not just for large tech enterprises but for small companies across the economy, and for consumers most of all. If we’re going to ensure that data more broadly can move across the Atlantic on a sustainable basis, we need to put in place a new type of trans-Atlantic agreement. This agreement needs to protect people’s privacy rights pursuant to their own laws, while ensuring that law enforcement can keep the public safe through new international processes to obtain prompt and appropriate access to personal information pursuant to proper legal standards.

As we consider the steps that might be taken, it’s important to reflect on the many factors that led to this month’s developments. They are varied and complex, and they have been coming together over the course of years. They make any solution to the present challenges more complicated. Unless we take all of them into account, we’re likely to rely on Band-Aids for issues that require changes that are more substantial.

Privacy really is a fundamental human right

More than anything else, the collapse of the Safe Harbor reflects the remarkable evolution of privacy issues. The legal case started in Ireland, where the High Court in Dublin registered concerns about whether Europeans could continue to feel comfortable with their personal information moving to the USA, where the potential broad collection of personal information by US authorities appears to be contrary to ‘the fundamental values protected by the Irish Constitution’. These are not small words.

In many respects, the Irish Court’s decision followed a long line of privacy developments reaching back almost to World War II. In 1950 the Council of Europe recognized that privacy is a fundamental human right. It has remained an important part of European law ever since, including being embodied in the Charter of Fundamental Rights of the European Union. In fact, the very first paragraph of the European Court’s recent decision noted the Charter’s ‘protection of personal data’.

It would be easy for Americans to think that all this reflects a different legal approach on a different continent. That would be a mistake. The protection of privacy from government intrusion has been enshrined in the US Constitution since 1791, when the Fourth Amendment was ratified as part of the Bill of Rights. In our own time the courts in both the United States and Europe have been moving in similar directions, and for good reason.

Just last year a unanimous US Supreme Court ruled that the police must obtain a judicial warrant before searching the contents of a phone. As the court explained, ‘modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans “the privacies of life”.’

The Supreme Court discussed the constitutional protection that requires that the government obtain a warrant before searching a person’s house. It then noted that a search of a phone ‘would typically expose to the government far more than the most exhaustive search of a house: A phone not only contains in digital form many sensitive records previously found in the home; it also contains a broad array of private information never found in a home in any form’.

This is both remarkable and entirely true. Over the past three decades, technology has transformed daily life to such a degree that people now store more information on a device in their pocket than they previously kept in their entire house. And as we know, this data does not stay on one’s phone: sensitive information is replicated ‘in the cloud’, meaning data centers across a continent and around the world.

This transformation helps explain why individuals in the tech sector increasingly have been talking about privacy. Just a week before the European decision, Apple CEO Tim Cook recognized explicitly that privacy is a fundamental human right.  I said the same thing on behalf of Microsoft in a speech in Brussels this past January. Microsoft CEO Satya Nadella said clearly over a year ago that we want technology to advance, but timeless values should endure. And privacy is a timeless value that deserves to endure.

But privacy rights cannot endure if they change every time data moves from one location to another. Individuals should not lose their fundamental rights simply because their personal information crosses a border. While never stated quite this directly, this principle underlies every aspect of the European Court’s decision, and it makes sense.

Add to this the daily reality that personal data is often moved not by individuals, but by companies and governments. Typically, individuals are not even aware of where their information is being moved or stored. It is untenable to expect people to rely on a notion of privacy protection that changes every time someone else moves their information around. No fundamental right can rest on such a shaky foundation.

These concerns might have remained on the European back burner but for the revelations of the past two years. The High Court in Dublin was explicit about this, suggesting that the disclosures by Edward Snowden had demonstrated a ‘massive overreach’ by US authorities. As the European Court reasoned, the case had raised real concerns that once personal data was moved to the United States, it might be accessed through governmental bulk collection and without any right by Europeans to defend themselves before a US court.

In practical terms, these revelations mean that European policymakers now need to assess anew whether European citizens continue to have privacy protection that is ‘essentially equivalent’ to the rights that apply at home after their personal information crosses the Atlantic. If they do not, then the Safe Harbor put together at the turn of the century cannot be resuscitated without new changes. What this really means, as is now clear to officials on both sides of the Atlantic, is that the old harbor needs to be replaced by something better.

We need a global Internet

At least from a legal perspective, this challenge would be straightforward if data did not need to move around. New laws might simply command that everyone’s information stay inside one’s country or perhaps even on one’s personal devices. But that would require a return to the digital dark ages.

While it increasingly is possible to store data in a specific data center, personal information for consumers still needs to cross borders for good reasons in a variety of scenarios. Imagine trying to complete a purchase online and being told that your purchase has been blocked because your credit card information needs to be processed somewhere else. Imagine having your airline reservation rejected because your passport information cannot be transmitted by the airline to the country where you want to fly. Countless times every week as consumers and citizens we need other people to move our personal information to the places it needs to go. And future technology innovations will aggregate personal information to enable devices to be even more useful for people.

This international movement of data is important not just for individuals, but for businesses and even countries. The EU Commissioner for Justice, V?ra Jourová, put it aptly when she responded to the European Court’s decision by noting that ‘it is important that transatlantic data flows can continue, as they are the backbone of our economy’.

While governments might mandate that all consumer data always stay in one’s own country, this would be like addressing concerns about banks by requiring everyone to keep their money under their mattress. The needs of the 21st century require a better way.

We need to keep the public safe

These issues are made even more complicated by a third and vital factor: Governments need to keep the public safe. While there’s plenty of room for debate about how safety issues should be addressed, there is a broad and even global consensus that the protection of public safety is one of government’s most important roles. And there is a broad recognition on both sides of the Atlantic that we live in dangerous times.

In focusing on this challenge, one of the paradoxes of the Internet today becomes apparent. The Internet has become the world’s principal medium for people to share ideas and communicate with each other. Like the telegraph, the telephone, and other inventions before it, people put this new technology to use in many different ways – to do good and, at times, to inflict harm.

If we’re going to keep people safe in the real world, we need to keep them safe on the Internet. And if governments are going to prevent and investigate threats to public safety in the real world, they need timely and appropriate access to data that is stored online.

A privacy Rubik’s Cube

What is striking is the complexity that emerges when one puts these principles together. We need to protect privacy as a fundamental human right. We need a global Internet. We need to keep the public safe. And we need to find a legal path that will work on both sides of the Atlantic. We need to do all four of these things together and simultaneously. This is the privacy version of a Rubik’s Cube.

If we’re going to find a long-term and sustainable approach, we need to think afresh. The leading privacy law in the USA was adopted in 1986. The laws in Europe come from the same era. The approaches that were developed 15 years before the 20th century ended are simply not adequate 15 years after the 21st century began. It’s not just technology that has changed. The world has changed.

Like the Rubik’s Cube, the solution is obvious only after it’s complete. In this instance, we need to take four steps.

First, we need to ensure across the Atlantic that people’s legal rights move with their data. This is a straightforward proposition that would require, for example, that the US government agree that it will only demand access to personal information that is stored in the USA and belongs to an EU national in a manner that conforms with EU law, and vice versa.

Second, this requires a new trans-Atlantic agreement that creates not just a safe harbor, but a new type of connection between two ports. We need to create an expedited process for governmental entities in the USA and EU to access personal online information that is moved across the Atlantic and belongs to each other’s citizens by serving lawful requests directly with the appropriate authority in an individual’s home country. The requesting government would seek information only within the limits of its own laws, and its request then would be reviewed promptly by the appropriate government authority in the user’s country of nationality. If the designated authority determines the request is consistent with the privacy protections and other requirements of the citizen’s local law, it would validate and give it legal effect, authorizing disclosure.

If the US government were to agree to follow this process for EU data that is stored in the USA, it plainly would satisfy the legal requirements noted by the CJEU. The court required that EU nationals receive for data moved to the USA legal protection that is ‘essentially equivalent’ to their legal protection at home. This would ensure precisely that, because their own governments would continue to apply their own law. And because this process would work in both directions, when American data is moved to Europe, American citizens would continue to be protected by US law and the principles in the US Constitution.

Third, there should be an exception to this approach for citizens who move physically across the Atlantic. For example, the US government should be permitted to turn solely to its own courts under US law to obtain data about EU citizens that move to the USA, and the same is true for a European government when US citizens reside there. This is consistent with long-standing legal principles, as well as the practical reality that public safety issues are most pronounced when an individual is physically present in a jurisdiction.

Finally, it makes sense, except in the most limited circumstances, for governments on both sides of the Atlantic to agree that they will seek to access the content of a legitimate business only by means of service on that business, even when it is stored in the cloud. This would address one of the principal areas of current legal concern for businesses that are relying on cloud services.

A new path forward

There are other nuances and complexities that should be considered as well. There always are. But this fundamental approach would cut through the existing legal confusion by making clear both that people will not lose their privacy rights when their data is moved across a border and that there is an effective and legally proper basis for law enforcement to access the data needed to keep the public safe.

This approach will also require that governments take old laws and legal processes and finally modernize them. Some will point to this as a challenge, and they will have a point. But it’s also an opportunity whose time has come. This month the old legal system collapsed, but the foundation long ago had crumbled. In recent years it has been apparent that a new century requires a new privacy framework. It’s time to go build it.

Brad Smith is Microsoft’s president and chief legal officer. He plays a key role in representing the company externally and in leading the company’s work on a number of critical issues including privacy, security, accessibility, environmental sustainability and digital inclusion, among others. This article first appeared as a blog post on the Microsoft blog, Microsoft on the Issues.