From the Snowden revelations to the collapse of the Safe Harbor, transatlantic data sharing has gotten significantly more complicated over the past few years. The primary problem is that the underlying policies supporting the digital economy are showing their age, and this framework is sorely in need of updating to match today’s globally-connected economy. Without modernizing these policies, U.S. tech companies stand to lose more than $35 billion and digital free trade will suffer as countries erect restrictions on cross-border data flows.
We need a renewed transatlantic dialogue on solutions to these problems. ITIF has proposed many ideas to solve this issue including:
- Creating a Safe Harbor 2.0 that builds in respect for European privacy laws and has strict limitations on exceptions for national security purposes
- Establishing a “Geneva Convention” for data to resolve international questions of jurisdiction and transparency regarding the exchange of information
- Strengthening the Mutual Legal Assistance Treaty (MLAT) process so that, where appropriate, law enforcement can gain access to data overseas
- Reforming U.S. law to provide equitable treatment of European citizen data
- Incorporating data free trade rules into new trade agreements
- Supporting strong encryption to ensure consumers have access to secure technologies without government backdoors
Today, Microsoft President and Chief Legal Officer Brad Smith has posted his take on four actionable steps he believes are necessary to solve the “privacy Rubik’s Cube.” Many of these ideas echo what ITIF has been calling for over the past few years. He writes:
Like the Rubik’s Cube, the solution is obvious only after it’s complete. In this instance, we need to take four steps.
First, we need to ensure across the Atlantic that people’s legal rights move with their data. This is a straightforward proposition that would require, for example, that the U.S. government agree that it will only demand access to personal information that is stored in the United States and belongs to an EU national in a manner that conforms with EU law, and vice versa.
Second, this requires a new trans-Atlantic agreement that creates not just a safe harbor, but a new type of connection between two ports. We need to create an expedited process for governmental entities in the U.S. and EU to access personal online information that is moved across the Atlantic and belongs to each other’s citizens by serving lawful requests directly with the appropriate authority in an individual’s home country. The requesting government would seek information only within the limits of its own laws, and its request then would be reviewed promptly by the appropriate government authority in the user’s country of nationality. If the designated authority determines the request is consistent with the privacy protections and other requirements of the citizen’s local law, it would validate and give it legal effect, authorizing disclosure.
If the U.S. government were to agree to follow this process for EU data that is stored in the United States, it plainly would satisfy the legal requirements noted by the European Court. The court required that EU nationals receive for data moved to the United States legal protection that is “essentially equivalent” to their legal protection at home. This would ensure precisely that, because their own governments would continue to apply their own law. And because this process would work in both directions, when American data is moved to Europe, American citizens would continue to be protected by U.S. law and the principles in the U.S. Constitution.
Third, there should be an exception to this approach for citizens who move physically across the Atlantic. For example, the U.S. government should be permitted to turn solely to its own courts under U.S. law to obtain data about EU citizens that move to the United States, and the same is true for a European government when U.S. citizens reside there. This is consistent with longstanding legal principles, as well as the practical reality that public safety issues are most pronounced when an individual is physically present in a jurisdiction.
Finally, it makes sense, except in the most limited circumstances, for governments on both sides of the Atlantic to agree that they will seek to access the content of a legitimate business only by means of service on that business, even when it is stored in the cloud. This would address one of the principal areas of current legal concern for businesses that are relying on cloud services.
It is encouraging to see high-profile support for reform in this area. Policymakers on both sides of the Atlantic should heed this call for reform and embrace this opportunity to establish a new framework for data-driven innovation going forward.