A gathering storm in the cloud

The US and Europe need a framework for regulating personal data stored overseas

The United States and the nations of the European Union don’t see eye to eye on many topics: the more interesting version of football, the appropriate minimum age of alcohol consumption, and the use of international military force being among them. Yet for several years, one such conflict — on data protection — has grown from a divide into a gulf, and just about two months ago, the bridge connecting the two collapsed.

On Oct. 6, the European Court of Justice (ECJ) struck down the Safe Harbor agreement that governed the transfer of European citizens’ data to the U.S. This provision protected thousands of U.S. technology companies from litigation when operating in Europe, so long as they complied with the provisions in the agreement. Upon its invalidation, all such companies relying on cloud-based storage for their services might now violate European data protection laws. Each member state’s Data Protection Agency (DPA) can now exercise its own authority on the services offered to its citizens. As can be imagined, members of the many affected technology firms and the whole industry wait with bated breath for the ruling to be clarified and for guidance.

Yet the fall of the Safe Harbor agreement was not entirely unforeseen. The Safe Harbor Framework was not codified in a treaty but was crafted by the U.S. Department of Commerce and the European Commission (the executive body of the EU). It was created in 2000, still in the relatively early years of broad Internet adoption, when just over 400 million people were on the Internet. Today, that figure is over 3.2 billion.

The agreement relied in part upon clarifications of privacy principles detailed in the Frequently Asked Questions section of some of the communications between the European Commission and the Commerce Department. Thus the agreement was reminiscent of an official contract scrawled on the back of a napkin: legally binding but uncomfortable.

The ECJ struck down the agreement because it prioritized “national security, public interest, or law enforcement” above the EU’s privacy principles. Unlike the U.S. Constitution, the EU Charter of Fundamental Rights specifically details privacy and data protection as fundamental rights.

As a result, tech companies currently have four general options. First, they can stop using the cloud and therefore no longer transfer data across the Atlantic, though this option is quite unlikely. Second, companies can ignore the issue and hope that a new agreement will be reached. Third, companies could anonymize all sensitive private information before storing it in the cloud, which may end up breaking the ever-increasing number of services that require identifiable information to function. Lastly, major cloud providers can offer options to store non-anonymized data solely within the borders of the nations of each citizen, which imposes technical costs in implementation, physical costs in new data centers, and legal costs in ensuring that the resulting system actually complies with all the subsequent data protection regulations.

As can be imagined, most companies seem to have chosen the second option: waiting for the dust to settle. Yet given that any new agreement requires consensus among the U.S. Commerce Department, European Commission, and all 28 national DPAs, that wait may be extensive. In the long term, however, the fact that these negotiations will stretch on may end up being a boon.

All of the legal factors and business interests arising from the ECJ decision mask a deeper truth: this issue is not merely legal, but also cultural. While sentiment may vary between different member states, it is telling that Google, a poster child for massive data analysis of its users, is referred to in Germany as the disapproving moniker datenkraken after the legendary sea monster. Whether or not a Safe Harbor 2.0 is implemented soon, the different paths that Europe and the U.S. walk with regard to privacy and data protection are not likely to intersect soon. Therefore, regardless of what legal remedies are used to calm the panic felt by the technology industry, a long-term vision is required. In particular, policymakers should build a flexible framework for future bridges across cultural and legal differences in this area, not meager palliatives for the present.

So we must ensure that the final agreement is not only a set of provisions, but also a schema that will allow evolution alongside cultural views of privacy and data protection. Otherwise, in 15 years, another storm in the cloud may gather.