Today’s decision by the European Court of Justice invalidating the “Safe Harbor” agreement between the US and EU should have come as no surprise. Privacy advocates on both sides of the Atlantic have long argued that this self-regulatory program, which enables US companies to transfer Europeans’ personal information to servers in the US, does not effectively protect it.
In Europe, privacy is a fundamental human and legal right. Europeans’ personal data can’t be stored or processed in third countries that don’t have adequate privacy laws. Since the US lacks a comprehensive legal framework for privacy protection, the Safe Harbor program was created to try to meet that adequacy test. Participating US companies promised to follow certain principles for the treatment of Europeans’ personal data. Since the program was launched in 2000, however, numerous studies revealed that there were many problems with how it operated and questions were raised about whether companies were actually living up to their promises.
The Snowden revelations about the National Security Agency’s mass surveillance of electronic communications touched off a firestorm in the European Parliament and cast the Safe Harbor agreement in doubt. Even as the EU was working with the US to try to resolve the issues with Safe Harbor, Max Schrems, an Austrian law student, was challenging Facebook, contending that when the company transfers his personal data to this country, US law and practices offer no real protection from government surveillance. His complaint eventually led to the court decision that ended Safe Harbor.
Why should we in the US care about this? After all, the Safe Harbor program had nothing to do with our data. But the fact is, the same US companies that collect Europeans’ personal information are collecting the personal information of users and customers here. Our personal data is not adequately protected from government or commercial surveillance. We don’t have meaningful control over who has access to it and how it’s used.
It’s not just a matter of principle, though the principle that privacy is a human right is very important. We are also concerned about how our personal information may be used in ways that are unfair or discriminatory; for instance, CFA is asking states to prohibit an auto insurance rate-setting technique called “price optimization” in which companies use information about consumers’ online shopping habits to figure out how much they can increase the premiums for individual customers.
While CFA has joined other groups in hailing today’s ruling, the situation that we’re left in is far from ideal. We support cross-border trade and we don’t want to stop the flow of data that is necessary to provide us with products and services. What we need are strong privacy protections in the US and effective remedies when our privacy rights are violated. The draft privacy bill that the Administration offered earlier this year missed the mark badly. It’s time to get serious about privacy in the US.