Twitter updated its privacy policy this week. Amid mostly routine changes, the last sentence said this: “We’ve also removed the EU Safe Harbor Framework section.”
This is more important than it sounds. ”Safe Harbor” is an obscure but deeply significant set of rules that has governed transatlantic data-transfers for the past 15 years. In short, it is what makes it possible for Twitter, Google, Facebook, and other American tech giants to operate in the European Union.
But in October last year, the EU’s highest court ruled that Safe Harbor was invalid, instantly putting many American tech companies in breach of European privacy laws. The court wanted stronger guarantees that European citizens’ data wouldn’t be subject to mass surveillance by the US government, driven by the revelations of indiscriminate snooping uncovered by whistleblower Edward Snowden.
Since then, officials in Brussels and Washington have been furiously crafting a new data-sharing agreement. The deadline for a new deal is now just days away: a powerful group of national privacy regulators in the EU has demanded an agreement by Jan. 31.
If negotiations on a new data-sharing agreement fail, American tech firms could be forced to keep all the data they collect about Europeans within Europe, a significant and costly restructuring for many. “The transatlantic economy as a whole is dependent on a successful outcome,” Microsoft president Brad Smith said recently. “These negotiations are too important to fail.”
Oil for a new age
It’s been said that data is the “oil of the 21st century,” although at $30 a barrel, data is arguably even more valuable than the black stuff today. A comparison of intercontinental data capacity today versus shortly after Safe Harbor was established shows the explosion in activity:
These cross-border data flows have accrued monetary value thanks to legal frameworks like Safe Harbor. “Safe Harbor is one of the main reasons why the economic value of data grew year by year so greatly,” Georgios Petropoulos, a visiting fellow at Brussels-based think tank Bruegel, tells Quartz.
Petropoulos, with colleague Cassandra Liem, has tried to quantify the value of personal data to tech companies and economies in general. It’s tricky because, ironically, there is not enough data to make solid calculations. But it’s clear that few have turned data into profit more effectively than Google. So Petropoulos settled on the average revenue from ads earned per Google user, or ad ARPU, as one measure of personal data’s dollar value to Google and its ilk:
If regulations stop data from flowing as freely as oil or other commodities, these values will surely take a hit. That’s what makes a new Safe Harbor agreement so crucial—the ability to securely transfer and store customer information is central to the business models of the tech giants.
The good, the bad, and the ugly
What could happen at the deadline for a new Safe Harbor deal? There have been a few cheerleading pronouncements from European officials, but nothing definitive. European negotiators are thought to be watching for the passage of a key piece of data-privacy legislation in the US Senate as a “signal of trust.”
In the meantime, things remain up in the air. Here are a few of the possible scenarios, in descending order of pain for American tech companies (with 🔥 being mildly annoying and 🔥🔥🔥 requiring a major overhaul):
🔥🔥🔥 No deal, and the internet is ”Balkanized.” If the EU and the US can’t agree on a new way to treat transatlantic data-flows, then the biggest tech companies will be forced to store European users’ information in data centers located in Europe. This amounts to internet “Balkanization,” according to Bruegel’s Petropoulos. In China, for example, the “Great Firewall” regulates the flow of all information through the country’s borders, while a new law requires foreign tech companies decrypt user data for some government investigations. Europe could be headed in that direction. “If there is no agreement, we could move to a situation like China,” says Petropoulos. Indeed, “the big tech companies have already started large-scale investment of European data centers,” he adds.
🔥🔥🔥 No deal, and regulators crack the whip. If a new deal isn’t made, national regulators could launch ”coordinated enforcement actions” next month against companies previously on the Safe Harbor list. The biggest US tech firms are the likeliest targets, says Kirsten Whitfield, a director at law firm Wragge Lawrence Graham & Co. “The Microsofts, Facebooks, and Googles of the world are the primary target of scrutiny for the privacy regulators,” she tells Quartz. “They have warned that if companies didn’t get their houses in order, they would start investigating and taking action against non-compliant organizations.” There are workarounds, but no guarantee of leeway from regulators in the absence of a broader agreement governing data transfers between the US and EU.
🔥🔥 No deal, and private lawsuits force some data transfers to stop. Europe’s top court invalidated Safe Harbor in the first place because of a complaint brought against Facebook by an Austrian law student, Max Schrems, to the Irish data protection authority. The New York Times reported that Schrems is preparing further legal action if no deal is made. Jacques Bourgeois, a senior advisor at law firm Sidley Austin, tells Quartz that someone like Schrems could well take action at the national level to prevent personal data from being transferred to the US without a new framework.
🔥 No deal, but no investigations. The EU’s Justice Commissioner, Vera Jourova, has promised an update on the “state of play” of negotiations on Feb. 1. This suggests that finalizing a new agreement is unlikely before the deadline, but also that all hell won’t break loose on that day. National regulators could give negotiators more time to hammer out a deal, provided that enough progress is made by Jan. 31. This classic EU fudge is the most likely scenario. ”The deadline was set to motivate the two sides to start serious negotiations. If we reach Feb. 1 and there is no concrete statement, but we have made good progress, then the national regulators will step aside and say, okay, we will give you more time,” Bruegel’s Petropoulos tells Quartz.
🔥 Safe Harbor is dead, long live Safe Harbor. A new deal is reached, and it looks a lot like the old agreement. Law firm Sidley Austin has published an extensive report that parses a point made in the European court’s ruling to strike down Safe Harbor. It’s the “essential equivalence” test, which says that Europeans and Americans must have roughly the same privacy protections in either place. Sidley Austin says there is a “compelling” basis to find that “the US legal order for privacy and data protection is essentially equivalent to that of the EU.” In practical terms, this means that the US side will show that its laws pass the equivalence test to the Europeans. The Europeans, after conducting their own analysis, will come to the same conclusion vis-à-vis the US. “We would have some sort of arrangement that follows the same format as Safe Harbor … with additional tweaks,” Sidley Austin’s Bourgeois says. It will be business as usual, and we will look back and wonder what all the fuss was about.