Enacting ECPA reforms will help resolve the US-EU Safe Harbor negotiations
By any measure, the significant trade in data and data-powered services enjoyed by U.S. companies utilizing the data of European Union (EU) residents is imperiled by conflict over the EU’s perception that the U.S. government’s access to EU citizens’ data is unconstrained. Privacy is a fundamental right in the EU. It is not something the U.S. can merely acknowledge through words; it must also be reflected in deeds.
One of the most tangible ways to stave off a damaging trade war and strengthen the capacity for U.S. companies to offer Europeans’ data-driven products and services enact meaningful reforms sought for years by U.S. businesses and privacy advocates alike. The best vehicle for doing so – particularly in the short term – is legislation that would update the Electronic Communications Privacy Act (ECPA).
{mosads}In October, the European Court of Justice (ECJ) ruled that the agreement known as Safe Harbor (SH), which permits lawful transfer of EU residents’ data to the US, was inadequate to ensure those residents’ privacy was protected. Alluding to revelations about alleged surveillance practices by the U.S., the ECJ has imperiled the ability of American companies across all industries to access their customers’ data from across the pond and provide services and products back to those customers. Negotiators hoping to replace the agreement struck down by the ECJ are left uncertain as to what U.S. reforms might allow the EU to conclude that a new SH agreement upholds European privacy principles.
The absence of concrete solutions on both sides of the Atlantic unfortunately creates a leadership vacuum that encourages problematic proposals. Ideas such as data localization, which is protectionism masquerading under the rubric of data protection, ultimately harm U.S. and European businesses that rely on SH while actually weakening the privacy protections for consumers in the U.S. or the EU.
Left unresolved the ECJ decision will both drive business away from U.S. companies and to EU-based competitors while causing U.S. companies to expend significant resources to collect, store and process the data of Europeans solely in Europe, an undertaking that may be technically impossible in any case. Arguably, due to routine enforcement of U.S. consumer privacy laws, the U.S. actually provides better consumer privacy protections for U.S. companies’ EU resident customers’ data than is afforded by current EU law, which is rarely enforced. Leaving data solely in the EU, therefore, does not necessarily improve EU residents’ privacy.
The ECJ succinctly stated what surveillance problems needed to be fixed and provided a roadmap to reaching a new agreement. One demand made has been that the US adopt reforms comparable to the Judicial Redress Act, which would ultimately empower EU citizens by granting them comparable rights that U.S. citizens enjoy to challenge U.S. government agencies handling of individuals’ data and force redress for violations of those rights.
The ECJ also sought additional limitations on the U.S. government’s ability to access EU citizens’ data. The ECJ wrote that “[f]urthermore and above all, protection of the fundamental right to respect for private life at EU level requires derogrations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary . . . . In particular, legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life . . . .” While the ECJ did not demand enactment of specific legislation, reforming ECPA could address the ECJ’s concern about “access on a generalized basis to the content of electronic communications.”
Pending legislative reforms to ECPA would mandate that law enforcement must obtain a warrant whenever it seeks to compel a company to disclose the content of communications of the target of an investigation. That rule has become the de facto standard – but not the law of the land – since the U.S. Court of Appeals for the Sixth Circuit ruled in U.S. v. Warshak that ECPA is unconstitutional to the extent it does not require a warrant for the content of users’ communications. Updating ECPA would give important legal clarity to businesses that help people everywhere communicate electronically.
More importantly, it would establish a bright line protection for people’s content that politicians across the EU could also rightly celebrate because proposed reforms would benefit Europeans. If U.S. law enforcement issues a legal demand under ECPA to a U.S. service provider, the U.S. provider must comply, regardless of the citizenship of the target. As a result, Europeans have much to gain by an ECPA update that would increase requirements for U.S. government access to user data.
ECPA legislative reforms enjoy unusual and extraordinary Congressional support. H.R. 699, authored by Reps. Yoder (R-Kan.), Graves (R-Ga.) and Polis (D-Colo.), is supported by a majority of Republicans and has 304 cosponsors. It’s Senate counterpart, authored by conservative icon Sen. Lee (R-Utah) and liberal icon Sen. Leahy (D-Vt.) has 24 cosponsors spanning the ideological spectrum. The White House generally supports ECPA reforms. ECPA is a legislative goal that is clearly within reach for a Congress often stuck in stalemate. This makes this privacy reform an achievable and suitable target to sweeten the deal and regularize U.S.-EU consumer data transfers.
The U.S. is a data driven economy. One significant economic advantage that U.S. businesses hold is that American companies often lead on work with data, especially data of people. While that leaves our economy exposed to various countries’ efforts to impose unique rules concerning personal data, it produces enormous benefits for America. It behooves U.S. legislators to recognize that this economic leadership position is threatened by inaction. That is especially the case when updating ECPA enjoys overwhelming support in the House of Representatives, significant, bipartisan support in the Senate, and nearly unanimous support from businesses and consumer and privacy advocates in the U.S. Following the ECJ’s privacy reform roadmap to swiftly enact ECPA reform can immediately advance the negotiations to facilitate legal certainty for transatlantic data trade.
Sparapani is a principal at SPQR Strategies, specializing in privacy, technology and constitutional law. Prior to SPQR Strategies, he was the first director of Public Policy at Facebook and served as senior legislative counsel at the American Civil Liberties Union.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed..