Expert Speak Digital Frontiers
Published on Feb 09, 2016
The future of trans-Atlantic data transfer

Part two of the two-part series on Safe Harbor and “Privacy Shield” agreement struck by US-European Union negotiators on data protection. Read part one here.

 The economic and political costs of not reaching an agreement are high for both sides. On Monday the EU Commission provided an outline for a new agreement – the so-called Privacy Shield. According to EU Commissioner for Justice Jourová the US will provide written assurances that there are clear limitations, safeguards and oversight regarding government agencies access to data. The outline also includes an annual review of all commitments made under the new agreement and the creation of a new ombudsman at the US Department of State to which European citizens can turn with complaints. The outline also calls for stronger supervision mechanisms for companies that will participate in the new arrangement. Even though the details of the new agreement are still to be determined, the outline has already been met with skepticism by European data protection authorities. And commentators have noted that the recent announcement buys both sides time but that important issues still need to be resolved to reach a final deal.

 While a lot of uncertainty about the final agreement and the question of whether it would withstand the expected legal challenges will remain, one thing has become very clear. More than two years after the first revelations of Edward Snowden the debateover government surveillance and its impact on the right to privacy is far from over. Many Europeans will continue to question whether US surveillance programs are compatible with European fundamental rights. And the US as well as many European privacy activists will continue to point out that European member states themselves fall short of the principles and safeguards laid out by the court. The European Court of Human Rights in Strasbourg has already begun to challenge surveillance regimes of European countries and there are more cases to come.

 So far there has been little discussion in Europe and the US about what this all means for other countries. But third countries – including India – have a strong stake in this debate. Third countries might look with envy at the new agreement. US surveillance programs do not only affect Europeans. So they might want to extract similar concessions from the US government for the transfer of data of their citizens to the US. The reluctance of the US government to meet European demands could be driven by exactly this concern: the new Privacy Shield becoming a new global standard for transfer of data between countries. But India has not only to gain from this debate. Its growing technology sector has a strong interest in the European market and thus in the ability to process data of EU citizens. But the Court of Justice has also set a new standard for transferring data from the EU to any third country. It seems unlikely that many third countries would meet the standards of the court and be deemed as providing an adequate protection of personal data.

 And there is potentially more trouble ahead. While the European data protection directive requires that data transfers should not be made to non-EU countries that do not ensure adequate levels of protection, there are several exceptions (or "derogations") to this rule. Companies can use binding corporate rules or model contract clauses for the transfer of personal data. Through these mechanisms companies demonstrate that they adhere to a level of data protection adequate to European law. Companies currently use these mechanisms to transfer data to countries such as India. However, the debate over Safe Harbor and the Privacy Shield is driven by potential government access to personal data. Companies have little control over this matter as government access is determined by the laws and national security practices of the countries in which they operate. And many European data protection authorities have already announced that they will also evaluate the adequacy of corporate binding rules and model contracts in the light of the Schrems decision issued by the European Court.

 The debate over Safe Harbor and the Privacy Shield can be interpreted as a struggle between the EU and the US to define global standards for privacy. Given the size of both markets and their importance for setting global standards this is a debate that India and other countries should follow closely. And there are also important strategic choices for India in terms of how it wants to position itself in the debate over surveillance and privacy. Developing a comprehensive framework for data protection would be an important step for India, creating the foundation for a more effective participation in a debate that is currently shaped primarily by the US and the EU.In the meantime the Court of Justice of the EU has sent a clear message to the US and any other third country with its invalidation of Safe Harbor: whoever wants to do business with personal data of EU citizens needs to meet European standards for data protection.

Stefan Heumann is director of the “European Digital Agenda” program at stiftungneueverantwortung, a Berlin based think tank with a focus on technology and public policy

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.