EU's Safe Harbor decision reveals rift between US economic, privacy issues

A Congressional hearing turned combative at times on Tuesday, as legislators discussed the fallout of a European court ruling last month that said a 15-year-old data law was invalid.

A Congressional hearing turned testy on Tuesday as lawmakers discussed the complex and sometimes arcane negotiations between US and European companies that share data across the Atlantic.

Legislators had gathered to discuss how companies should navigate the fallout from a European court decision last month that axed the 15-year-old agreement that governed how the two regions share data. But concerns about privacy – especially regarding US government surveillance – reverberated through much of the debate, with one lawmaker calling privacy issues the “elephant in the room.”

The Safe Harbor agreement – which affects how about 4,500 American companies use data collected from European citizens – has a host of implications, from how Facebook shares user data abroad to how multinational corporations should handle employee information. A European Union working group said it has negotiated a revised Safe Harbor deal, but the final agreement could take several months.

While lawmakers from two subcommittees of the House Energy and Commerce Committee agreed Tuesday that passing a new Safe Harbor agreement was instrumental to restoring the economic relationship between the US and the EU, the debate over privacy issues appeared far less settled.

“I’m in a little bit of a dilemma,” said Rep. Joe Barton (R) of Texas, who co-chairs the Congressional Bi-Partisan Privacy Caucus. “If I put my pro-business hat on, I want to renegotiate this Safe Harbor agreement as soon as possible. But if I put my privacy caucus co-chairman hat on, I think the European Union has highlighted a substantial issue, that US privacy laws aren’t as strong as they could be.”

Part of the conflict was arguably by design. The European Court of Justice’s ruling was sparked by a lawsuit filed by Max Schrems, an Austrian law student who argued that European authorities should be able to investigate his claim that Facebook was exposing his data to US surveillance by passing it from servers at the company’s European headquarters in Dublin back to the US.

Companies have strongly fought back against this contention, blasting the European court’s decision as going too far and possibly leading US firms to face harsher standards than those that apply to European companies.

“There is a serious disconnect between the EU’s stated goals of spurring innovation and fostering a start-up culture and statements by some European officials about the need for IT independence and calls for data localization,” said John Murphy, senior vice president for international policy at the US Chamber of Commerce, during the hearing Tuesday.

Victoria Espinel, president of the software industry trade group BSA, told lawmakers that robust security protections were already in place to prevent unauthorized data transfers. Ultimately, she says, technology firms hope the EU and the US will work toward a broad policy – beyond just a new version of Safe Harbor – that would both address privacy concerns and allow the companies to keep working in Europe.

Rep. Jan Schakowsky (D) of Illinois said in an opening statement that she was preparing to introduce a bill that would provide stronger security standards on a variety of personal data that could be affected by the court’s decision, including geolocation data, health records, biometric details, and information on e-mail and social media accounts. She says she wanted to balance the likely economic impact on US companies with privacy concerns.

But other lawmakers expressed skepticism.

“Is it your position that US persons and non-US persons should be treated identically with respect to government collection of surveillance data?” Rep. Mike Pompeo (R) of Kansas asked Marc Rotenberg, president of the Electronic Privacy Information Center, which has advocated for stronger privacy protections for both European and American citizens.

When Mr. Rotenberg agreed, Rep. Pompeo pounced on the response.

“Fair enough,” he said, “Just so you know, that would be ahistoric. You could well be right about it being proper, but no nation has ever behaved that way with the collection of data for their own citizens... There’s always a wrinkle, there’s always an exception... I actually think the United States does a remarkable job of protecting citizens all around the world and protecting their data in their efforts to keep us all safe—"

Rotenberg interrupted, saying, “Sir, may I ask – do you think the Office of [Personnel Management] has done an excellent job protecting the records of federal employees?" referring to the recent OPM hack that exposed a variety of sensitive information.

“No sir, there’s errors all along the way—” Pompeo responded, but Rotenberg jumped back in.

“Twenty-one and a half million records — SF 86s — those are the background investigations for federal employees,” he said.

“I filled one out, I think mine was released as well, sir, so I’m infinitely familiar with that, I’m simply asking about policy,” Pompeo said, before moving on to another question.

Later, Rotenberg pointed to the large scale opportunity offered to regulators to address privacy issues through the European court’s decision.

“Privacy really does cross the aisle,” he said. “It’s also important in the context of this hearing to understand that there’s a difference between the political dimension of negotiations ... and a judicial decision by the top court in Europe."