The European Union and the United States are about to give us some idea of how their negotiations over the Safe Harbor dispute are going. The European Court of Justice ruled that the Safe Harbor arrangement — a critical bridge for e-commerce firms and other businesses that need to move personal information across the Atlantic — was invalid, because it did not protect European citizens against U.S. surveillance. Companies like Facebook and Google are waiting with some trepidation to find out, since a collapse of negotiations might have very serious implications for their business model. Last week I spoke to Cameron Kerry, the former acting secretary of commerce and general counsel of the Department of Commerce, who played a key role in early negotiations with the EU on privacy.
HF – You argue in a forthcoming report that the European Union does not understand how well the U.S. protects privacy. Why is this so?
CK – We think that there are a lot of misperceptions in Europe about the U.S. We don’t have the kind of single comprehensive law that Europeans are familiar with. We have a complex body of laws at the state and federal level covering various sectors, and we have what amounts to common law with the FTC enforcing privacy standards on a case-by-case under a very broad mandate. An increasing number of agencies are getting involved, and states have their own laws too. In the Privacy Bridges program, an effort by regulators and academics on both sides of the Atlantic to come up with pragmatic ways to bridge the gap, the first thing everyone had to do was to come up with a 1-2 page paper describing the other continent’s privacy laws. Even those highly informed experts in the field had massive and divergent misunderstandings and misconceptions. If it’s hard for experts, it’s exceptionally hard for most people. The report is an effort to walk people through the elements of the American system for commercial privacy and surveillance and to show how that compares with the European system.
CK – Dealing with the political reality, we have to see what steps are doable in the near term. I think that in the long term there is a lot more that can be done about interoperability of the two systems, but we need to rebuild trust first. That has been a real casualty of the Snowden stories.
HF – If an agreement isn’t reached, what are the likely consequences for the United States and U.S. businesses that rely on Safe Harbor?
CK – I think it’s a recipe for chaos, because you’ll have 44 different data protection authorities trying to resolve issues about other transfer mechanisms. That creates a lot of uncertainty, and undoubtedly there will be adverse decisions that will play out in proceedings in front of data protection authorities, proceedings in front of national courts, and eventually European courts over a period of time. It won’t be great.