To a casual observer, the strike-down of the US-EU Safe Harbor Agreement in October 2015 appeared to abruptly halt the winds that had driven 15 years of smooth sailing for international, data-driven businesses. The message seemed clear enough: no more free-flowing transfer of personal data across the Atlantic for the profit of US mega-firms. Right?
Not quite. The terms with the US are still being negotiated in Brussels; the deadline to reach an agreement between the EU and the US is looming. On Monday, February 1st, we might learn a little bit more about the potential future of technology in Europe.
This is because the negotiation of the Safe Harbor outcome is more multifaceted than it seems; the bulk of the iceberg is beneath the surface. There are other policies involved. The US Senate is currently still debating on home turf about potential – separate -- legislation that might persuade the EU to forge new data-transfer rules that would be more favorable to US businesses operating in Europe. The decision itself will likely serve as a strong and influencing signal to EU policy-makers, as either a signal for truce or cannon-fire.
The primary issue being discussed is the Judicial Redress Act of 2015, which was passed by the House only a couple of weeks after the Safe Harbor rule was invalidated in October 2015, and is currently being debated by the Senate. The act essentially would allow the citizens of U.S. allied nations in Europe to sue in civil court over data privacy violations in the US (as governed by the US Privacy Act of 1974). In a sense, the act was designed to pacify the EU in the wake of the Safe Harbor retraction – giving certain EU citizens the right to sue over perceived violations. While the Redress Act would require proactive action by EU citizens to pursue privacy rights, it was considered a compromise.
What the US decides to do with the Judicial Redress Act -- pass as-is or amend -- will likely influence the discussion in Brussels. Passing and Finalizing the act as-is would send a message of good-faith to Europe, by showing US acknowledgement of EU citizens’ privacy. But a decision to amend the bill and make EU civil action more difficult in the case of US privacy violations might further sour EU-US relations.
Either outcome has business implications, but the decision to formally pass the Judicial Redress Act of 2015 might -- in a sense -- create a new “safe harbor” of sorts, minus the formal name of the original agreement. It would tug the rules back to something at least *similar* to the original Safe Harbor. Perhaps it would be a shallower, rockier harbor; more prone to choppy water… but a relatively safe harbor for US businesses none the less. The mechanism for action for US allied EU nation citizens would offer the option of remedy in the face of systematic privacy violations, but it still needs to be seen whether (1) the Act is passed, and (2) how much it would be utilized in Europe.
The potential decision to amend the US Judicial Redress Act of 2015 and make it more restrictive towards EU privacy rights in the US is intended to make calmer water for US businesses to navigate. However, the EU has the potential to respond with stormy seas of their own. In the end, the US doesn’t want to lose profitable data from Europe, and Europe doesn’t want to lose valuable tax revenue from US firms that have EU presence. A compromise is needed, but it’s not yet clear which way the ship will sail.
So as the January 31st deadline approaches, businesses need to keep an eye on the horizon. The skies at night determine whether the next day will be a delight, and on the morning of February 1st, corporations may be in for a warning.