November 4, 2015
Guest blog post by Donatienne Ruy, a Belgian citizen / European living and working in Washington DC.
Recently, many articles about the European Court of Justice’s decision on the Safe Harbour agreement have appeared in mainstream newspapers. More specifically, U.S. (and some European) reactions to the decision and stern articles on the dire consequences of the ruling have spread across both digital and print media opinion sections. Yet those articles seem more problematic than the ruling itself.
Indeed, they all explain how the ruling will negatively affect the economy, vital data flows between the U.S. and the EU, and (most important of all) big tech companies. Google and the likes will indeed have to change their policies and the way data circulates on their servers. Policymakers will have to implement new rules to fill the legal vacuum the decision created. Yes, we will have to get to work and find new ways to deal with transatlantic data flows after this oh-so-tragic change.
Nevertheless, the doomsday parade should first reckon with the fact that U.S. handling of data in the recent past has not exactly been stellar. Second, the Safe Harbour agreement was implemented in 2000; in tech years, that is a century ago. This was also before 9/11 and the U.S. surveillance program that came under fire after Edward Snowden’s revelations, particularly in Europe. If one does not understand the impact of such revelations, one will not understand why the Court’s decision is not the end of the world. Third, despite the expected negative impact of the ruling, its meaning is what really counts here: privacy matters and is part of the fundamental rights of European citizens. It is one of the values that guide our project, and it will not be threatened by the technological age. As the Court put it in its press release, a situation in which public authorities have a generalized access to electronic communications and individuals have no option to pursue judicial redress for mishandling of their data is a situation “compromising the essence of the fundamental right to respect for private life” and effective judicial protection.
In the face of such pushback, the crucial question thus becomes: when did we start putting business interests ahead of ours? Some will say that is a little idealistic, I say debatable. The European project has suffered several blows in recent years, from the economic crisis to the refugee situation –blows that have endangered the Union’s core values of unity, human dignity and personal freedoms. The Safe Harbour decision is a jolt to all who had forgotten about these values, the Court’s reminder that our priorities are off. The extent of the outrage is a testament to this imbalance: how dare the Court invalidate an arrangement that was beneficial to businesses and tech companies? The privacy concerns that led to the ruling are cast aside as an overreaction and a misunderstanding of U.S. privacy laws on the part of judges. Again, debatable. Surprising as it is that this message would come from the Court of Justice (and not politicians), it is perfectly within its prerogative to pass this kind of judgment (no pun intended). What we now know on surveillance and privacy issues in the U.S sheds new light on data sharing, and the Court reached a proportionate conclusion that does not deserve the current backlash.
To be sure, the decision to invalidate Safe Harbour will create some difficulties for businesses and policymakers (compliance, renegotiations). However, we should be welcoming it for several reasons. First, it has the potential to pull the EU out of its reactive loop and into a more proactive stance on policymaking, at least for data-sharing matters –and through these, for privacy rules and fundamental rights. Policymakers will be pressed to find an improved framework to replace the invalid agreement, and my hope is that they will do so on their own terms instead of bowing to business or U.S. pressure. While the transatlantic relation remains crucial to both sides, it is time to clearly draw the line and define what is really acceptable for us as Europeans with regards to privacy. Second, the decision gives us an opportunity to draft rules that respect privacy while keeping the Internet an open space in the Union. This might prove challenging, but in our day and age, we need to find innovative ways to approach technology and to embed it with our fundamental rights –including through the recent Umbrella Agreement on law enforcement-related data sharing with the U.S. These efforts should also include a path towards a more coherent approach between all 28 judiciary and supervisory systems, and consider consulting experts on the feasibility of retaining data on EU soil. Third, despite the goal of an open market and a Single Digital Market, EU policymakers need to remember the difference between ends and means: rights dictate the conditions imposed on businesses and data, not the other way around. Finally, we should welcome the increased visibility of the Court, as it has been taking on increasingly high-profile cases. This visibility is a reminder that the EU does have checks and balances, and that this authority will safeguard the values that are enshrined in our treaties.
In conclusion, to those who only see an ominous presage in the ruling: yes, this decision creates a blurry picture for the upcoming months. Yes, companies will face compliance costs. Yes, data flows will be handled differently. But the underlying reasons for this ruling are, in the end, worth it for Europeans who value their privacy and who believe doing so does not make them overly sensitive. Overreaction is too easy a word to throw at someone who does not believe things should stay the same simply because it is “easier that way”. This time, despite all complaints, the Court reminded us we should indeed not settle for the status quo when it no longer represents our best interests.