As thousands of companies on two continents worry about the repercussions from the European Court of Justice's recent ruling that the Safe Harbor agreement is invalid, Microsoft’s president and chief legal officer, Brad Smith, has presented a four-step proposal to replace the system and stop a “return to the digital dark ages.”
The trans-Atlantic Safe Harbor agreement, which has governed the flow of personal data across the Atlantic for the last 15 years, was nullified on October 6 after the ECJ said it didn’t offer its citizens adequate privacy protections. The ruling came after an Austrian law student, Max Schrems, questioned the safety of European citizens’ personal information in the wake of allegations of spying by US government agencies.
European privacy regulators have said that if a new agreement is not reached, they will start to enforce tougher oversight of data transfers, including issuing fines and banning overseas data transfers, by the end of January.
Smith said in a blog post that new technology meant an updated version of Safe Harbor has been necessary for many years: "It's an opportunity whose time has come. This month the old legal system collapsed, but the foundation long ago had crumbled. In recent years it has been apparent that a new century requires a new privacy framework. It's time to go build it."
Smith’s proposal addresses what he refers to as the "privacy Rubik's cube" of balancing privacy rights, a global internet and public safety. The first step is to ensure that people's legal rights move with their data; meaning the US government would have to abide by European laws when requesting data on an EU citizen whose information is stored on US-based servers. The second step proposes an expedited process for governments in the US and EU to serve lawful requests for data to authorities in a person's home country, while the third suggests exceptions should be made when a person moves between continents – giving the US or EU countries authority over those people who physically reside within their borders.
The final part of the proposal says all governments involved should agree to only access a particular company’s user data through that company directly, rather than using unscrupulous methods.
“This fundamental approach would cut through the existing legal confusion by making clear both that people will not lose their privacy rights when their data is moved across a border and that there is an effective and legally proper basis for law enforcement to access the data needed to keep the public safe,” Smith wrote.