As reported in the Financial Times, the essential problem faced by the European Commission is to “balance the demands of privacy advocates and an angry public against fears that overly restrictive rules could limit companies’ ability to transfer data across borders and weaken their prospects in the digital economy.” This will not be an easy task. The proposals being considered to date are as follows:
- Strengthening “Safe Harbor” Data Privacy Rule for US Companies. For many years, US companies doing business in Europe (including those doing business solely on-line) have taken advantage of the so called “safe harbor” agreement in order to bypass EU privacy rules. Suspension of these rules would be the most straightforward a approach for the European Commission, but could have a significant impact on US companies doing business with EU citizens.
- Strengthen EU Data Protection Rules. The recent spate of spying has given impetus to the bolstering of European Data Protection rules, that have not been updated since 1995. The latest draft of the legislation would prohibit third-country access to EU personal data without the express permission of the relevant European authorities. Such a provision would be in direct conflict with US foreign intelligence laws that require US companies, such as Google, Facebook, and other internet and communications companies to hand over data to US intelligence services.
- Include Data Protection in US – European Trade Talks. A long term solution at best, this proposal floated by the Germans has the danger of derailing US-European trade negotiations and will likely not be pursued as a serious option.
- Suspend Data Agreement on Financial Transactions. Although there is evidence that the US-European Data Sharing Agreement has not been violated by recent US spying, one proposal would be to cut off US access to global financial data processed through SWIFT, a Belgian based group.
- Build Independent European “Cloud” Infrastructure. One proposal is to incentivize the development of an alternative “cloud” infrastructure that would be outside the jurisdiction of the US legal system and intelligence services. Although this proposal could limit the power of a US court to order a European company doing business in Europe to hand over private information on EU citizens, it would not prevent intelligence services from hacking the “European Cloud.” As is also the case with the other proposals being considered, the risk to the normal data flow required by business in the digital age is considerable.
As the European Commission considers its options, US companies that are doing business with EU citizens should pay particular attention to the possible changes in store as a result of the recent US spying. The revelations that US spying may have also included some degree of corporate espionage should also concern those US companies doing business in Europe.