People’s legal rights need to move with their data, according to Microsoft president and chief legal officer Brad Smith, stating that the industry is urgently in need of a new agreement to replace Safe Harbor.
Safe Harbor, an agreement among 4,000 U.S. companies that transfers data of Europeans to the U.S., was struck down by the Court of Justice of the European Union (CJEU) on October 6, leaving tech giants scrambling for an alternative.
If no new long term arrangement is made, we will “return to the digital dark ages,” where data is required to stay within each country’s borders, said Smith in a blog post. A new agreement needs to work for major tech companies and small businesses alike, he added.
In any other case, this agreement would be easy to come to, but given the nature of data and how much it travels from country to country, things become more difficult.
“This agreement needs to protect people’s privacy rights pursuant to their own laws, while ensuring that law enforcement can keep the public safe through new international processes to obtain prompt and appropriate access to personal information pursuant to proper legal standards,” he said.
Microsoft itself is currently entangled in a legal battle with the U.S. over the access to its servers in Ireland as part of a U.S. investigation.
Smith proposes a new agreement that essentially involves the U.S. applying E.U. law directly to E.U. citizens’ data. In other words, regardless of where your data travels, it will be protected by your country’s laws.
This would amount to a new trans-Atlantic deal whereby governments open dialog with other governments and make search warrant requests to a national’s government if it wanted to access the data of one of its citizens.
“The [CJEU] court required that EU nationals receive for data moved to the United States legal protection that is “essentially equivalent” to their legal protection at home,” said Smith. “This would ensure precisely that, because their own governments would continue to apply their own law.”
This would also apply in reverse. If a European authority is investigating an American citizen, it would need to obey U.S. privacy laws during the investigation, and appeal to the U.S. directly when seeking access to data. In a scenario where an EU citizen physically moves to the U.S. (or vice versa again), the government would only need to consult its own court.
Currently, there is a January deadline in place to come to a new deal over how data must be protected.
“This is the privacy version of a Rubik’s Cube,” said Smith, given all the pieces that need to come together to work for everyone.
