The Transatlantic Internet: A New Geo-Economic Frontline
For almost a generation, the US-EU Safe Harbor agreement has been the transatlantic digital passport that allowed 4,400 US tech companies to provide services to Europe's 500 million consumers. But an Oct. 6 decision by the European Court of Justice smashed that little-known, but extremely important fifteen-year-old agreement and opened up questions about the future of the thriving transatlantic digital corridor that allowed trillions of dollars of interactions.
The court sided with Austrian law student Max Schrems against Facebook and by proxy the US-EU pact. It ruled that the access of US intelligence agencies, particularly the National Security Agency (NSA), to European data stored on US-based servers did not provide for adequate protection from intelligence snoops.
The ruling is quite concise, but its effect on transatlantic relations online could be one of its most far-reaching. It has left some wondering if Europe's Supreme Court just had its Citizens United moment.
Here are seven political takeaways from the ruling.
First, the decision itself is as baffling as it is far-reaching. The court set upon determining whether or not Safe Harbor gave Europeans protections that are "essentially equivalent to that guaranteed within the EU." The ruling directly pointed to what it considered indiscriminate data collection by the NSA. But the decision will not affect this collection. The ruling is a bank shot that hits commercial interests instead.
In fact, similar intelligence practices exist within several EU member states. France enacted some of the toughest surveillance laws in the world in the wake of the Charlie Hebdo attacks in January. The United Kingdom has a long memory of terrorism from the Irish Republican Army (IRA) in the '80s to the London subway bombings on July 7, 2005. Most EU member states are also NATO allies and work closely with the United States on intelligence matters, enable US data collection both in the EU and the United States, and benefit from it. A delicate balance between privacy and national security exists in all democratic societies.
This reality is not lost on European policymakers. The EU has a sophisticated body of law has sought to balance the right to data protection always in the context of other — at times competing — rights and responsibilities. The European Convention of Human Rights notes that states recognize exceptions "in the interests of national security, public safety or the economic well-being of a country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others." Articles 12 and 19 of the United Nations' Universal Declaration of Human Rights establish a similar balance. Even the major legislative overhaul on data protection currently under debate in Brussels contains carve outs that leave national security intelligence gathering relatively untouched. The ECJ knows this — which raises questions as to why the court would apply a higher standard to the United States than it does at home.
Which leads to a second takeaway — the ruling seems to provide top cover in talks between the United States and the EU that are ongoing. Both sides are currently locked in renegotiations on a Safe Harbor for the post-Snowden world. The European Commission put forth a list of thirteen recommendations for this Safe Harbor 2.0. Negotiators from both sides acknowledge that the final two recommendations dealing with national security have been the toughest. Here's where the ECJ weighs in. It essentially inserts these recommendations into its ruling.
Furthermore, the court asserts that Europeans have "no administrative or judicial means of redress enabling… the data relating to them to be accessed, and, as the case may be, rectified or erased." Legislation granting this form of judicial redress to European citizens just passed the US House of Representatives. The Obama administration supports it.
The ECJ has taken an unprecedented political role by inserting itself into live negotiations to shore up European Commission positions. Moreover, the ruling has emboldened the most doctrinaire skeptics in the European Parliament and elsewhere of whether an open digital relationship with the United States is even necessary or desirable.
Third, the decision feeds into a political narrative that Europe is using technocratic means to correct Silicon Valley's perceived competitive advantage over Europe's tech sector. That perception — fair or not — has long existed. US President Barack Obama expressed as much in February saying: "We have owned the Internet. Our companies have created it, expanded it, perfected it in ways that Europe can't compete. And oftentimes what is portrayed as high-minded positions on issues sometimes is just designed to carve out some of their commercial interests."
In the wake of the Schrems ruling, suspicion about EU digital protectionism has ricocheted through Washington. A bipartisan cross-section of Congress was uniformly scathing on the decision. Even Sen. Ron Wyden (D-OR), a hero to the Internet's civil libertarians, said that the ruling called "open season" on American businesses. That political fallout could have effects beyond the sensitive digital relationship. As a political matter, this ruling couldn't have come at a less opportune time. US-European cooperation is key to the world's response on challenges that range from Iran to the Islamic State of Iraq and al-Sham (ISIS) to Ukraine to the climate change talks in Paris in December.
Fourth, the ruling effectively "Westphalianized" Europe's digital single market by reasserting the sovereignty of each and every national data-protection agency (DPA) over the EU and undermining the notion of a "Digital Schengen." The European dream has always been to create one single market that stretches from Lisbon to Tallinn just as the US economy stretches from San Francisco to New York. As Robert Madelin, the EU's innovation czar, said in October. "The most important thing ‘Europe' creates is not the law but the space." But the ECJ decision shatters that space online.
In its place are pieces — national and even regional regulators — that can say yea or nay to Facebook, Google, HP, Amazon, and even Ford. This is particularly tragic given the Court's traditional role as protector of European integration. Already one German data-protection regulator has begun to require that all German citizens' data be repatriated from American to German soil. Companies might be willing to set up data farms in big states like Germany. But what about small states like Slovenia or Luxembourg? This "Fort Knox" mentality on data not only undermines the Internet's founding ethos of openness and innovation, it also makes data less well-protected. The only countries cheering will be illiberal states like Russia that have long argued for "digital sovereignty" and forced localization in order to give the state greater control over online activity.
Fifth, the decision raises questions about the certainty of Europe's digital economy. In the short term, it left many unanswered questions: is there any grace period? Does this apply to users' data transferred to the United States years or even decades ago? What does this mean for other means of data transfer and data flows in other areas such as financial transactions and flight information where the ruling could also potentially apply?
In the long term, the decision could throw cold water on negotiations for the mega-trade agreement between the United States and Europe. It also sows doubt in the ability of the European Commission — as the traditional "guardian of the EU treaties" — to represent the EU on weighty matters such as digital commerce with powers like the United States, China, and Brazil.
This kind of uncertainty could have a chilling effect on Europe's tech economy. The ruling may give rise to new brick-and-mortar data servers in Europe. But it also makes the EU a less attractive place to innovate at the outset or enter as a market for expansion when US startups go global.
Which brings up the sixth point — the ruling disproportionately hits startups, a community that craves to serve Europe's consumers. Most of the big guys like Facebook, HP, and Amazon will release a phalanx of lawyers and use alternatives to get around this setback. The hardest blow is to the thousands of aspiring startups that used the Safe Harbor agreement as their own personal passport to access the European market.
So what's next? One positive effect of the ruling is that it places the ECJ squarely on Washington's diplomatic radar. Going forward, the United States can work assiduously to build relationships, listen to and incorporate positions, and strengthen bonds between transatlantic counterparts just as it did in the wake of the European Parliament's 2010 rejection of an agreement to share information on terrorist finance.
But at what price? The Schrems decision leaves the EU court exposed to claims that it is anti-American, out of touch with the online world, or unaware of national security laws in the EU itself. A process victory can hardly counterbalance the decision's potential economic and political fallout. Passage of the Judicial Redress Act by Congress would be a start. It's unclear where the two digital superpowers can go from here.
Tyson Barker, a former State Department official, is the rapporteur for the Atlantic Council's Transatlantic Digital Task Force.
This article was originally published on the Atlantic Council's New Atlanticist Blog.
- Atlantic-Community.org in Transition
- Towards a More Inclusive Transatlantic Partnership: Update on the 2nd Atlantic Expedition
- Topic of the Month: The Future of Health Care
- Do We Need Data Donations?
- eHealth - Tele-Monitoring and Tele-Medicine - Digital Innovation in the Life Science Sector in Germany