Privacy advocates exploit European Safe Harbor ruling to revive rejected ideas

In a stunning setback to trans-Atlantic digital commerce, the European Court of Justice ruled in the Schrems v. Data Protection Commissioner case in October that the Safe Harbor agreement, which allows data to be transferred from the EU to the United States, is invalid. The court reasoned that, given the pervasive digital surveillance revealed by Edward Snowden and the lack of standing afforded to those who have appealed these actions in U.S courts, the Safe Harbor agreement is an ineffective tool to protect their citizens’ data. In response, a number of hardline consumer privacy advocacy groups, like the Electronic Privacy Information Center, have argued that the U.S. “must update domestic privacy law,” part of a “strategy that enables transborder data flows to continue.” However, the truth is that these groups are merely exploiting the current confusion over the future of the Safe Harbor agreement to promote their long-held agenda of enacting stringent new privacy rules on U.S. businesses that would harm innovation.

As the Information Technology and Innovation Foundation (ITIF) and others have argued, it is vitally important that the United States and Europe, which were already in negotiations to modernize the Safe Harbor agreement, come to new terms that preserve the efficient cross-border transfer of data while also protecting citizens’ privacy. In addition, congressional action on bills such as the Judicial Redress Act, which would provide reciprocal rights to citizens in certain foreign countries so that they can seek remedies in U.S. courts if the U.S. government violates their privacy, would help allay some concerns about the treatment of EU citizen data by the U.S. government.

But there is nothing in the Schrems ruling that suggests that Washington policymakers have no choice but to dismantle the Federal Trade Commission’s (FTC) oversight of U.S. companies and replace it with European-style privacy laws in the United States. As FTC Commissioner Julie Brill has publicly stated, the “Safe Harbor gives the FTC an effective tool to protect the privacy of consumers in the EU and the U.S.” The process of allowing the FTC to regulate U.S. companies’ privacy practices, including their commitments to the Safe Harbor agreement, has been an overall success. Indeed, Brill pointedly noted at a recent conference in Amsterdam that the Safe Harbor “was the wrong target for arguments that U.S. surveillance practices violate the privacy rights of Europeans.”

However, following Chicago Mayor Rahm Emanuel’s dictum of never letting a good crisis go to waste, a group of U.S. and European privacy advocacy organizations are claiming otherwise. In a recent letter, privacy activists, including groups such as the Electronic Privacy Information Center and Center for Digital Democracy, entreated Commerce Secretary Penny Pritzker to commit to six reforms, chief among these being that “the U.S. should enact a comprehensive legal framework for data protection based on the Consumer Privacy Bill of Rights” and “the U.S. should ratify Council of Europe Convention 108.” But these are not a targeted set of recommendations related to government access to data necessary for resolving this trans-Atlantic dispute. Instead, these are the same tired policy recommendations related to commercial use of data that these groups have been unsuccessfully pushing for years, which would significantly curtail the thriving data economy in the United States, an area where the United States enjoys a considerable lead over Europe to the benefit of its consumers and workers.

As others, including Brill, have noted, part of the problem here is that many people simply “do not fully understand U.S. privacy law.” Whereas the European Union has the Data Privacy Directive, the United States does not have a single, comprehensive privacy law. Instead, the United States has a variety of federal and state laws that protect the privacy and security of consumers’ personal information. The point of the Safe Harbor is to make these two different systems compatible. U.S. policymakers should not simply adopt whatever rules and regulations come out of Brussels.

As the negotiations over a Safe Harbor 2.0 continue toward a January 2016 deadline, U.S. policymakers would be wise to understand that these privacy advocates are trying to capitalize on concerns about further disrupting trans-Atlantic data flows to push their dusty agenda. If they succeed, the cure will be worse than the disease.

Castro is vice president of the Information Technology and Innovation Foundation, a think tank focusing on the intersection of technological innovation and public policy.