The European Court of Justice’s rejection last October of the European Commission’s so-called “safe harbor” agreement with the U.S. forced many American startups to grapple with a difficult choice: spend considerable time and money trying to find a different mechanism to legally import EU consumer data or sit tight and hope regulators worked it out before member states started filing lawsuits. Neither option was particularly appealing, and thankfully, the EC’s announcement this morning that negotiators had reached a framework agreement on Safe Harbor 2.0 (rebranded as “Privacy Shield”) removes some of the uncertainty startups have faced over the past three months. But does this tentative framework provide the future-proof, legal certainty that is essential for startups operating in the EU?
For those of you who are just tuning in, here’s a quick refresher: the EU’s Data Protection Directive imposes certain obligations on how entities in different countries can handle data from EU consumers. To help streamline compliance, the EC and U.S. entered into an agreement that allowed U.S. companies to self-certify compliance with the Directive and thereby legally transfer data across the Atlantic. This system worked quite well in facilitating EU-U.S. data flows, until the ECJ issued a ruling in October that U.S. laws permitting the NSA to conduct mass surveillance of consumer data violated the Data Protection Directive, thereby voiding the safe harbor and opening up the door to potential legal action against companies that continued to import EU consumer data without a different legal justification.
Policymakers in the EC and the U.S. Department of Commerce promptly got to work on a new safe harbor agreement but faced considerable time pressure, as European Data Protection Agencies were set to commence enforcement proceedings against non-compliant companies if the parties could not reach an agreement by January 31. Crafting an important international agreement in such a relatively short time frame was a challenging endeavor, and as Sunday’s deadline approached, the possibility of a world without safe harbor began to set in.
For many U.S. companies that had previously relied on the safe harbor, failing to finalize a new agreement would be an inconvenience, but hardly insurmountable. Large multinationals had many alternative data transfer pathways at their disposal, like Binding Corporate Rules or Model Contractual Clauses. Others could simply set up servers overseas and process EU consumer data locally. But, these strategies were only feasible for those with enormous financial resources and a legal staff sufficient to navigate 28 different state data agencies and regulations—resources that small, cash-strapped startups just don’t have.
Consequently, startups faced a much more dire situation, and many simply had no idea how to proceed. Some mature, better-funded startups followed the lead of larger tech companies, working up model contract clauses, often at the behest of international partners that wouldn’t proceed without such agreements. Other hoped that updates to their privacy policies and consent processes would suffice, though this was something of a legal gamble and a potential disruption to business (how many consumers enjoy having to click through new popup consent forms?). Some companies, devoid of other sensible options, planned to continue business as usual, expecting that policymakers would eventually craft a solution and hoping they were too small to draw the ire of member state regulators if no agreement could be reached.
The EC’s Tuesday announcement of a “political agreement” was therefore met with cautious optimism and relief. The hard work that the EC and the U.S. Department of Commerce put in over the past few months paid off, pulling out an agreement at the eleventh hour and returning stability and some certainty to the international data flows that make the Internet work. Going forward, consumers and companies on both sides of the Atlantic should hope that this newly formulated “Privacy Shield” will provide a simple, well-defined framework for data exchange, so long as it remains in force. But this difficult experience should serve as a reminder of how the heavy burden of regulatory uncertainty often falls hardest on the smallest players. Startups that made user security and privacy a central part of their companies were nevertheless caught in an international dispute between national governments and multinational companies with few feasible options to stay square with laws that quickly became unclear. In the end, the drama surrounding Safe Harbor 2.0 is both a win for prompt, sensible policymaking and a lesson of how policy disputes can impact the startup sector in unexpected ways.