To do business in Digital Age, US and EU must compromise on privacy
© Getty Images

It was only a matter of time before European objections to U.S. privacy standards reached some sort of breaking point, and when the European Court of Justice decided earlier this month to invalidate the longstanding legal agreement that allows companies to send customer records and other business information across the Atlantic, it signaled that the moment has officially arrived. At stake is the future viability of the world's most important economic relationship: If it is to continue flourishing in the age of digital commerce, then both sides must make accommodations.

ADVERTISEMENT
The European Union and the United States established an official Safe Harbor agreement 15 years ago under the mutual understanding that both share the goal of protecting their citizens' privacy in a digital world, even though they go about it differently — the EU by adhering to comprehensive legislation, and the United States by taking a sector-by-sector approach that relies on a mix of legislation, regulation and self-policing. But Edward Snowden's revelations of U.S. surveillance practices have jeopardized this agreement. Europeans are furious because their laws provide a fundamental right to privacy, and they now believe — with reasonable cause — that they are not getting an equivalent level of protection from the United States.

Specifically at issue in the case that the European Court of Justice decided earlier this month was whether it should be legal under the Safe Harbor agreement for Facebook to transfer a European citizen's personal information to data centers in the United States. The plaintiff in the case, Austrian privacy activist Max Schrems, argued that moving his data into U.S. jurisdiction would unduly expose it to National Security Agency (NSA) surveillance programs. The European Court of Justice agreed, invalidating the Safe Harbor agreement on the grounds that U.S. privacy laws do not meet European standards. The working group of European data protection authorities said it would give the United States and Europe three months to come up with a new agreement before they take enforcement actions against companies.

European citizens and policymakers are understandably concerned about privacy safeguards in U.S. law, but abruptly revoking the Safe Harbor agreement was the wrong way to address those concerns. It is disrupting not just the thousands of U.S. and European companies that currently depend on the Safe Harbor to do business across the Atlantic, but also the broader digital economy. Policymakers in the United States and EU should work together swiftly to implement an interim agreement so that this ruling does not continue to adversely affect transatlantic digital commerce.

But beyond a stopgap measure to minimize global economic disruption, the United States and EU should make a number of much-needed privacy reforms to rebuild trust and cooperation if these countries want the world's most critical economic relationship to continue. Most urgently, now that the United States and Europe have settled the "Umbrella Agreement" for exchanging data related to criminal activities, policymakers should also finish the process of creating a Safe Harbor 2.0 with terms that give comfort to all parties. In particular, the updated agreement should reflect the EU request that a national security exception is used only to the extent that it is strictly necessary and proportionate for a given incident.

And while Congress made progress in reforming U.S. surveillance practices when it passed the USA Freedom Act earlier this year, there is more still to do. Restoring confidence in U.S. companies that collect European data requires clarifying the full panoply of privacy safeguards that are embedded in U.S. law enforcement and national security policies and practices.

For example, to address European concerns about privacy protections for their citizens' data, the U.S. Senate should follow the House of Representatives' lead and pass the Judicial Redress Act, which would allow non-U.S. citizens to bring civil actions against the U.S. government if it violates the Privacy Act. Congress also should reform the Foreign Intelligence Surveillance Act to improve oversight, transparency and accountability whenever the government gets a warrant to collect private data for national security purposes.

Europe has reforms to make, too, including fully embracing its planned digital single market. Individual members of the EU should not be able to set their own privacy rules or other digital policies, nor should they be able to overrule the European Commission, because that would fragment the digital marketplace and raise costs for consumers and businesses. More broadly, the purpose of establishing a digital single market cannot be to create a "fortress Europe" where European technology companies have an unfair leg up on foreign competitors. It should instead be the first step toward a more seamlessly integrated transatlantic market.

If the United States and Europe do not come together to resolve their differences on these data privacy and security issues, then both sides will suffer. American companies need to be able to store and process European data in the United States, and vice versa, or it will harm all sorts of technology users, including both businesses and consumers. The better alternative is to build a durable privacy framework that provides the necessary safeguards and instills the requisite trust and confidence to drive long-term growth on both sides of the transatlantic digital economy.

Castro is vice president of the Information Technology and Innovation Foundation, a think tank focusing on the intersection of technological innovation and public policy.