Opinion: Forget about Safe Harbor. Modernize global privacy law instead
When the European Court of Justice invalidated Safe Harbor, it became clear that a single data agreement couldn't account for all the ways countries balance privacy, freedom of expression, and national security.
There's a widening transatlantic divide regarding privacy rights that needs to be bridged – and soon.
But instead of coming up with another version of the data transfer agreement between the US and European Union known as Safe Harbor, we need a new set of global standards to build a common vision of privacy rights in the Digital Age.
That might sound unachievable and impractical to the more than 4,500 European and US firms that have relied on Safe Harbor for more than 15 years to transfer EU data stateside. But when the European Court of Justice invalidated that deal, in the aftermath of the Edward Snowden revelations that Europeans' data was subject to National Security Agency surveillance, it became clear that a single data agreement couldn't account for all the ways countries balance privacy, freedom of expression, and national security.
As Yale Law School Prof. James Whitman has argued, "in the law of privacy ... the contrast between Europe and the United States is stark and is growing starker."
What's more, it's becoming clear that European and US negotiators won't find a way to repair Safe Harbor before the Jan. 31 deadline that EU data protection authorities set for a new deal. Without that revised arrangement to safeguard Europeans' data from US government snooping, EU regulators have threatened "mass enforcement of illegal data transfers" starting as early as February.
Even if negotiators reach a last-minute deal on Safe Harbor, it would still face legal challenges in the EU from both European citizens and data protection authorities questioning the deal’s adequacy.
But a new Safe Harbor is simply a Band-Aid. Instead, let's start a dialog to clarify and upgrade global privacy standards. Let's flesh out the right to privacy mentioned in the 1948 Universal Declaration of Human Rights, which was expanded upon by the 1966 International Covenant on Civil and Political Rights (ICCPR) that has been signed by more than 160 nations including the US.
In particular, Article 17 of the ICCPR states, "No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation."
We also need a new protocol in the convention, updating Article 17 to include the "digital sphere" so as to create "globally applicable standards for data protection and the protection of privacy in accordance with the rule of law."
The German government – notably German Federal Data Protection Officer Peter Schaar – has pushed this approach, which was approved by the International Conference of Data Protection and Privacy Commissioners in 2013. Its passage was notable both for its timing – participants have been calling for a treaty guaranteeing data protection and privacy as a human right since 2005 – and the diverse array of participants involved include Japan, New Zealand, France, Slovenia, Ireland, Spain, Germany, Burkina Faso, Canada, and the US.
Only the US abstained in the final vote. That was a mistake. If the US were to support Germany and other nations' efforts, it would send a powerful message to both the EU and to the US tech sector that Washington is committed to modernizing international privacy law.
The German government has long argued that international privacy law has lagged behind digital realities, though the tenor of the debate changed following Mr. Snowden's leaks. Still, privacy guidelines remain largely nonbonding. That is not to say that the situation has remained stagnant. The UN General Assembly took action in late 2013, passing a consensus resolution on “[t]he right to privacy in the digital age” affirming that human rights including privacy and freedom of expression apply online in a move that could contribute to a positive cyberpeace.
Without clarification, the utility of the ICCPR and human rights law generally to advancing global privacy law will continue to be undermined by spy agencies and private industry. But with renewed support, several ICCPR provisions – including Article 17 (protecting the right to privacy) and Article 19 (protecting the right to seek information) – would have new life as applied to data privacy.
Supporting the drive for a new protocol would seem to be the most politically palatable option for US policymakers in the near term, but there is an argument to be made that these options are not mutually exclusive – negotiations could begin on a new international privacy treaty in tandem with mutually reinforcing work on a new Protocol to Article 17.
US engagement in any of these options beyond Safe Harbor would send a powerful message to the world that would help rebuild trust in both the US government and the US tech sector – providing businesses with greater certainty, and helping to narrow the widening transatlantic rift over data.
Scott Shackelford serves on the faculty of Indiana University where he teaches cybersecurity law and policy. Follow him on Twitter @sjshacke.