Avoiding the end of data globalisation

"What is the worst thing that could happen?" I was asked at one the many recent events discussing the consequences of the Court of Justice of the European Union's ('CJEU') decision on the adequacy of Safe Harbor. "That all personal dataflows between Europe and the US are deemed to be unsafe and hence unlawful" was my answer. Not a prospect that I ever thought could materialise, but the general panic surrounding this issue is leading us to believe it might. The much awaited statement by the Article 29 Working Party does not give us much comfort: it calls for a political, legal and technical solution, and warns that if this is not found by the end of January 2016, regulators will take 'all necessary and appropriate actions'.

Is this the beginning of the end of data globalisation? Is an archaic legal restriction about to kill a phenomenon that has enabled the information economy to take off and is essential for the world's prosperity? Are politicians, regulators and judges absolutely barking mad? Perhaps we should consider what motivated the decision that has caused this debacle. Fortunately for us, it is all written down and translated into many languages for anyone to read. In short, it is all about our fundamental human right to be free. To elaborate, the CJEU did not rule on whether the Safe Harbor principles were sufficiently close to the European data protection standards. That is a job for the data protection authorities. The CJEU ruled that Safe Harbor is no longer a valid mechanism to legitimise data transfers because it does nothing to address the potentially excessive interference of US law with the fundamental rights to privacy and data protection that exist under EU law.

Those who see the CJEU's decision as a direct attack on American political and economic interests should remember that the CJEU relied on exactly the same rationale to shoot down the EU data retention directive, which was aimed at preserving communications data for law enforcement purposes in Europe. In fact, the underlying reasons for the harsh approach adopted go much deeper than what has been erroneously perceived as a dig at the technological dominance of the US. The reality is that the EU and the US share the same goal: having a free and just society where people can be safe irrespective of their beliefs. That goal is rooted in the US Constitution as well as in its European equivalent, the Treaty of Lisbon. Basically, we are all on the same side. But according to the CJEU, that goal demands that the degree of interference with our fundamental rights leaves room for some minimum safeguards and is limited to what is necessary in a democratic society.

As it happens, that is not 'mission impossible' – not in Europe or in the US anyway. Other jurisdictions would probably be a lot trickier. To the Obama Administration's credit, it did not take very long for the Snowden revelations to start triggering some changes. Following a swift but thorough review of surveillance and information gathering practices, the US government has already adopted the USA Freedom Act, which targeted the much feared Patriot Act, and is now pushing for the approval of the Judicial Redress Act, which will extend current judicial redress rights beyond US citizens. Each of those steps brings the US legal framework closer to what the CJEU would regard as compatible with European rights, and the process is ongoing.

But as we also know in Europe, political and legislative reforms do not happen overnight. So perhaps it is not very realistic to think that a whole new EU rights-friendly legislative framework will be in place in the US by the January 2016 deadline set by the Article 29 Working Party. Understandably, that is a source of much anxiety for those organisations that, to their bemusement, are being asked to replace their imperfect Safe Harbor-based compliance with a magically perfect global data protection framework. How can we then avoid the end of data globalisation? If waiting for a political solution is not an option that European regulators will deem as acceptable but current alternatives – such as the European Commission's standard contractual clauses or even BCR – are dismissed as equally flawed, is there any other lawful option? Or are we irremediably moving in the direction of a European data localisation regime?

Clearly, that cannot be the right approach and, frankly, that is not what the data protection authorities are necessarily asking for. What regulators ultimately want is responsible data practices that take into account the CJEU's message and deliver not perfection but proportionality. Measures such as robust data disclosure policies, transparency reports, data deletion protocols and even end-to-end encryption can all contribute to demonstrate to regulators – and more importantly to users and citizens – that protecting our privacy is indeed compatible with data globalisation.

This article was first published in Data Protection Law & Policy in October 2015.