Congress scrambles to settle US-EU data spat this weekend
The bill is designed to help settle negotiations between the United States and the European Union aimed at replacing a “safe harbor” agreement that was struck down last year when the European Court of Justice ruled the European Commission lacked authority to accept the provision on behalf of member nations.
Without the agreement, which expires Jan. 31, European data privacy regulators would begin prosecute U.S. technology firms for their handling of European users’ personal data. The agreement has been in place for 15 years and was relied on by more than 4,500 U.S. and European firms to provide legal clarity about data transfers from Europe to the United States.
In a 19-1 vote on Jan. 28 – which happens to be the international Data Privacy Day — the Senate Judiciary Committee finally approved a version of the JRA, something the full U.S. House did by voice vote last October. Now the measure must move through the full Senate, back to the House and ultimately to President Barack Obama before the agreement expires.
The European Court of Justice’s ruling amounts to something of a Marbury v. Madison moment for the EU, with the court declaring the European Commission lacks (and has always lacked) the authority to accept on behalf of all member nations. In addition, the opinion found the safe harbor’s lack of redress for privacy violations to be a big problem, on which the commission appears to agree.
The JRA would provide redress (that is, the ability to sue in U.S. courts) for Privacy Act violations to citizens of what it deems “covered countries.” While its purpose obviously is to ameliorate the privacy concerns of certain EU member nations, the EU itself is not specifically mentioned anywhere in the agreement. It could eventually apply to countries outside of the EU. But more importantly, even if the JRA does passed Congress, before or after the deadline, it may not meet the national standards of every individual EU nation.
The Privacy Act confers only a very limited set of rights. Essentially, the JRA would let citizens of “covered countries” sue only if a U.S. firm that holds personal data massively screws up their lives because of misinformation.
Thus, the JRA may not be the cure U.S. tech firms are looking for. The broader problem of data security has no simple solution. As Max Schrems (plaintiff in the case that toppled the old safe harbor) put it: “I don’t see where this conflict is easy to solve.”
The Senate’s trepidation to date makes sense, given the compound effects of a complicated problem and the lack of a true solution. As Andrus Ansip of the European Commission put it “I ask for a bullet proof solution.”
The reality maybe that there is no bullet-proof solution. But the JRA could be a meaningful step in the right direction.