The EU’s new data protection regulation is a missed opportunity to fix data transfers with the US, writes Robert D. Atkinson.
Robert D. Atkinson is president of the Information Technology and Innovation Foundation, a Washington-based think tank focusing on the intersection of technological innovation and public policy.
What is the best way to bridge the gap between US and EU privacy law so companies can easily share data to do business across the Atlantic?
This has been a pressing question since October, when the European Court of Justice decided that US privacy protections are inadequate and invalidated the Safe Harbour Framework that has served since 2000 as the only answer on offer.
For the moment, US and EU negotiators are working tirelessly to craft a “Safe Harbour 2.0”—because, absent any other changes, that is what is needed to provide legal continuity for businesses. But the truth is that fixing Safe Harbour is like applying a bandage instead of curing the underlying ailment.
A better alternative would have been for the European Commission to do away with the “adequacy” standard in the EU’s new General Data Protection Regulation that was agreed upon this week, and to instead replace it with a duty-of-care provision.
In short, when it comes to handling data, companies doing business in Europe should be responsible for the actions of both their agents and business partners, regardless of where they are located.
It is worth remembering that the need for a Safe Harbour agreement is a problem of the European Commission’s own creation. After all, virtually all developed countries have privacy laws, but they do not all have the equivalent of a Safe Harbour agreement with the EU.
The problem arises out of a requirement in the current Data Protection Directive that prohibited data transfers to countries that do not provide “an adequate level of protection”. This adequacy requirement has created a legal headache, given the global patchwork of privacy laws, and so the EU and United States designed the Safe Harbour agreement as one way to bridge this divide.
The EU should not have prohibited companies from transferring data to countries that do not have laws with the same requirements, or required them to rely on alternative arrangements, such as Safe Harbour, or the more complicated and time-consuming binding corporate rules and model contracts.
Instead, the EU should have exempted companies doing business in the EU (or those that have designated a legally responsible business agent in the EU) from the adequacy requirement and clarified that the new General Data Protection Regulation held them legally responsible for any failure to protect the personal data of citizens, regardless of whether that failure is the fault of the company in the EU, or an affiliate or business partner in another nation.
In other words, European protection would travel with the data, regardless of where that data travels. Companies doing business in the EU would then have a very strong incentive to insist that their business partners outside of the EU adhere to the EU’s privacy protections, because EU citizens could seek remedies from companies in the EU for any privacy violations.
This is what most nations do, after all.
For example, European companies operating in the United States must comply with the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA), which regulates US citizens’ privacy rights for health data, even if they move data to Frankfurt. And if a company’s affiliate in Frankfurt violates HIPAA, then US data authorities can bring legal action against the EU company operating in America.
There are three main benefits of such an arrangement. First, it would make it easier for companies operating in the EU to do business by allowing them to quickly write contracts with business partners without requiring companies to engage in a game of “Mother May I?” with European regulators or worrying about the specific data laws in other countries.
Second, it would reduce the need for Europe to establish a “European cloud” in order to keep data stored within Europe, since under this arrangement moving data to a foreign data centre would in no way reduce European privacy protections.
Third, it would mean that the EU would not need to rely on foreign regulators or foreign courts to enforce the privacy rights of their citizens. Instead, EU citizens and regulators could bring complaints and enforcement actions directly to those companies doing business in Europe if there is a claim that they are violating European privacy law.
To be sure, this arrangement would mean that companies doing business in Europe would be liable for their own actions and the actions of their business partners.
But that’s the whole point of such an arrangement. It would lead companies doing business in Europe to insist on contracts with foreign partners that require a foreign company to compensate them for any fines they might face from EU privacy authorities if the partners fail to abide by their contract terms.
With this arrangement, firms doing business in Europe would have strong incentives to sign contracts that fully protect the rights of European citizens, knowing that they otherwise risk significant penalties from European data regulators if their partners violate EU law.
In short, European privacy law needs to reflect the global norm of ensuring that rules travel with the data and not a norm of data that can only travel if the EU says so.