U.S. Government Surveillance Threatens E.U.-U.S. Privacy “Safe Harbor”

December 9, 2013

EU CybersecurityThe European Commission has informed the U.S. government that its apparent data surveillance activities threaten to undermine the existing negotiated information privacy arrangement that currently enables U.S. businesses and other American organizations to collect and use personal information from citizens of European Union nations.  If the E.U. determines that the safe harbor has been violated by N.S.A. and other U.S. government surveillance activities, American businesses could suffer substantial commercial harm by being denied access to the personal information of E.U. citizens.

European laws protecting the privacy of personal information prohibit the collection or use of personal information associated with European citizens by people and organizations that are not subject to national privacy laws that are at least as rigorous as those applied in the E.U.  U.S. privacy laws are not adequately stringent to satisfy the E.U. requirements.

In order to avoid the massive commercial disruption that would be caused by denial of access to European personal information for American organizations, however, authorities in the E.U. negotiated an agreement, the so-called privacy “safe harbor,” with their U.S. government counterparts.  Under the terms of this safe harbor arrangement, American companies that contractually commit to information privacy terms that comply with E.U. requirements, and so certify that commitment to the U.S. government, are deemed to be qualified to collect, accept, and use European personal information.

European authorities have now advised the U.S. government that the disclosures by Edward Snowden and others revealing that the N.S.A. and other U.S. authorities are engaged in data monitoring that compromises the privacy of customers of many different American businesses acting within the terms of the privacy safe harbor appears to be a violation of the negotiated privacy arrangement.  The European authorities contend that the surveillance seems to be a clear indication that American enterprises are no longer able to honor their safe harbor privacy commitments because they can not effectively avoid the U.S. government data surveillance.

If European authorities continue on their present track, the consequences for U.S. businesses could be significant.  A determination by the E.U. that the privacy safe harbor terms have been violated and that continuing U.S. government data monitoring makes it impossible for American companies to honor their commitment to aide by European privacy requirements could result in denial of access to personal information associated with citizens of European countries.

In this situation, American businesses and other U.S. organizations could be prohibited from collecting information from customers and other individuals in Europe.  The American companies could also be prohibited from acquiring such information from companies and other organizations that are authorized to gather and share such data.  American organizations could also be denied the authority necessary to analyze or otherwise process the European information.

This action by European authorities has substantial potential commercial impact for American businesses.  It provides an illustration of the extent to which U.S. government data monitoring actions can have notable adverse economic consequences for the United States.  These potential consequences must be carefully considered as decisions regarding the value of large-scale government data mining activities are made.