On Oct. 6, the European Union’s (EU) top court ruled that the Safe Harbor provision was invalid. The legal framework efficacy—it required U.S. companies to protect data belonging to Europeans—was cast into doubt after Edward Snowden, a former U.S. National Security Agency (NSA) contractor, leaked documents detailing the U.S. government’s intelligence-gathering capabilities.
Now, multinational companies and global cloud providers are in a holding pattern. Brad Smith, Microsoft’s president and chief legal officer, noted today in a lengthy blog post that the court “struck down an international legal regime that over 4,000 companies have been relying upon not just to move data across the Atlantic, but to do business and serve consumers on two continents with over 800 million people.”
While the ruling is seemingly a setback for large cloud providers and online companies, many were prepared for the worst. Smith said, “Companies like our own that have put in place additional safeguards such as the EU Model Clauses will rely on and add to them, even while everyone discusses additional measures.”
Beyond the immediate legal and technical ramifications, “the collapse of the Safe Harbor reflects the remarkable evolution of privacy issues,” Smith said. He calls for a new agreement that prioritizes data privacy.
“Individuals should not lose their fundamental rights simply because their personal information crosses a border,” he stated. “While never stated quite this directly, this principle underlies every aspect of the European Court’s decision, and it makes sense.”
Fearing that strict data residency laws would mark “a return to the digital dark ages,” Smith also calls for a global Internet where data flows more freely, albeit with an eye toward privacy.
“This international movement of data is important not just for individuals, but for businesses and even countries. EU Commissioner for Justice Věra Jourová put it aptly when she responded to the European Court’s decision by noting that ‘it is important that transatlantic data flows can continue, as they are the backbone of our economy,'” Smith stated.
In the wake of the E.U. court’s decision, Smith proposes a number of guidelines for a replacement framework.
“First, we need to ensure across the Atlantic that people’s legal rights move with their data,” he wrote.
“This is a straightforward proposition that would require, for example, that the U.S. government agree that it will only demand access to personal information that is stored in the United States and belongs to an EU national in a manner that conforms with EU law, and vice versa.”
Smith also championed the idea of “a new trans-Atlantic agreement that creates not just a safe harbor, but a new type of connection between two ports” to settle jurisdictional tussles similar to the Ireland email case that Microsoft is currently appealing. When serving lawful requests for customer data, a “requesting government would seek information only within the limits of its own laws, and its request then would be reviewed promptly by the appropriate government authority in the user’s country of nationality.”