Nov 03, 2015 - 10:00am

Safeguarding Transatlantic Data Flows After the ‘Safe Harbor’ Decision

Senior Vice President for International Policy


If global movements of capital are the blood that powers the world economy, the movement of data is its nervous system.

So when the European Court of Justice last month decided to invalidate the 15-year old “Safe Harbor” agreement that has facilitated the movement of data across the Atlantic, the world sat up and took notice.

What exactly does this mean?

I was pleased to testify today before the House of Representatives Committee on Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade on the European Court of Justice (ECJ) Safe Harbor decision and its impact on transatlantic data flows.

The context for today’s discussion is the U.S.-EU economic relationship, which is without peer. Total U.S.-EU commerce tops $6 trillion annually and employs 15 million Americans and Europeans, and a huge share of this trade depends on the flow of data across the Atlantic.

Examples of data flows take many forms:

  • A small exporter selling through an e-commerce portal
  • A large firm with operations in multiple countries managing its human resources
  •  A wind turbine sending data on its performance to the engineers who keep it running
  • A transatlantic tourist using a credit card

In short, the issue of data flows doesn’t just affect “Internet companies” but all companies. This isn’t about the “Internet economy” — it’s about the economy, period.

Safe Harbor has served as a valuable tool for companies of all sizes and sectors to assure Europeans that companies are meeting EU data protection standards. It’s been used for a variety of business-to-consumer and business-to-business functions, as well as non-commercial purposes, such as health and safety concerns.

Before its ruling, the European Court of Justice did not conduct any formal investigation into current U.S. surveillance oversight. In fact, it relied on outdated reports and unproven news stories, and it provided legal reasoning based largely on process concerns.

Even so, the ruling has had a very real impact on American companies of every size and sector. More than 4,400 companies were left asking whether they could continue transferring personal data from Europe. They are now faced with the tough choice of deciding whether to continue their transatlantic business or face potentially costly enforcement actions.

While companies in the Safe Harbor program continue to guarantee a high level of data protection for the users of their products and services, developing alternatives to Safe Harbor cannot happen overnight.

Data privacy systems are legally and technically complex. One alternative suggested by the European Commission, Binding Corporate Rules, can cost over $1 million and take at least 18 months to develop and implement. These are non-starters for small businesses.

Or consider a U.S. hotel chain with locations across Europe, each of which works with a host of small companies providing food for the in-house restaurant or janitorial services. All of these relationships involve data flows, and that means there are hundreds of arrangements across hundreds of properties that may need to change — at considerable cost.

Another example comes from the auto industry, which uses Safe Harbor to identify vehicle safety issues and for quality and development purposes. However, the industry now faces the challenge of meeting both U.S. and EU regulatory requirements. Under U.S. law, auto manufacturers must share vehicle identification numbers of cars sold globally in the event of a vehicle service campaign, such as a recall. This U.S. obligation may now conflict with EU privacy rules.

So what’s the outlook?

Absent a new Safe Harbor agreement, companies may be faced with a patchwork of 28 different enforcement and compliance regimes in different EU Member States — or more where local governments are involved.

Such an outcome would show the serious disconnect between the EU’s stated goals of spurring innovation and fostering a startup culture and statements by some European officials about the need for IT independence and “localization” of data.

Further, some in Europe are trying to use legitimate concerns about data protection as an excuse for protectionism. This approach has been frequently rebuked by many others in the EU, but it merits careful scrutiny nonetheless.

While the business community is committed to working with our European colleagues to ensure a balanced and proportionate system of rules, we urge Congress and the United States government to remain vigilant.

We must ensure that the European Union does not hold the United States to a different standard on national security and law enforcement issues, and that it otherwise ensures a level playing field for all actors.

Specifically, what should be done?

First, we need a new and improved Safe Harbor agreement. The Chamber greatly appreciates the efforts of the Department of Commerce and the FTC to provide clarity and reach an agreement on a revised Safe Harbor.

We applaud the House for taking an important first step towards resolving these concerns with the passage of the Judicial Redress Act. We are encouraging the Senate to act swiftly to give this bill final passage. The recently announced Umbrella Agreement is another important step forward.

Also important are other safeguards instituted in the United States since 2013 that provide a level of protection equivalent to or even greater than that found in the European Union and among its Member States.

The invalidation of the Safe Harbor agreement was a shock to the world economy’s nervous system. The Chamber is committed to working with officials in Europe and the United States to calm frayed nerves and find a way to ensure that data can continue to flow across the Atlantic.

About the Author

About the Author

Senior Vice President for International Policy

Murphy directs the U.S. Chamber’s advocacy relating to international trade and investment policy.