Although it has been six months since the first disclosure by Edward Snowden, the public revelations of the scope and scale of the capabilities of the National Security Agency do not appear to be slowing down.
Based on new leaked information, the NSA has recently been accused of eavesdropping on the telephone conversations of Angela Merkel, the Chancellor of Germany.
This information, along with accusations of intercepting phone calls by other high-ranking foreign officials, comes at a critical time as the European Union deliberates new data protection regulations. For over a decade, the data protection regulations of the European Union and its member states have represented the most stringent of their type in the world.
Germany, in particular, has been at the forefront in enforcing these laws. These regulations generally prohibit the transfer of personal data of EU citizens to any country that lacks adequate data protection safeguards unless approved by the citizen's member state.
Beginning in 2012, the EU initiated a process to further strengthen its approach to the protection of personal data and to ensure unified treatment and enforcement across all of its member states. In response to these new reports of government surveillance, the US can expect a critical review of its status as a permitted recipient of EU personal data.
In 2000, the European Commission and the US Department of Commerce instituted a "Safe Harbor" framework to prevent the EU's then-newly enacted data protection regulations from interrupting data flows between the US and the EU member states. Under the Safe Harbor framework, eligible US companies may self-certify to the US Federal Trade Commission that their internal policies and safeguards comply with the data protection principles enshrined in the EU regulations.
Failure to comply opens a company to a potential enforcement action by the FTC. This framework, along with the use of EU-approved contractual clauses, has been a resounding success for international e-commerce. Today, over 3,000 US companies participate in Safe Harbor, including Apple and Google. However, officials in the European Commission and the EU member states have publicly questioned the viability of the Safe Harbor framework, potentially to the detriment of every US company doing business in the EU.
According the to the European Commission Vice President, Viviane Reading, "The Safe Harbor agreement may not be so safe after all." Earlier this year, in the wake of the information leaked by Edward Snowden , German data protection officials notified the European Commission that Germany would no longer grant new approvals for the transfer of German data to non-EU countries.
Even though the Safe Harbor framework itself contemplates a national security exception, the official European Commission advisory group for data protection announced that it will formally consider "to what extent protection provided by EU data protection legislation is at risk." The results of this assessment will be released at the end of this year and will likely inform EU deliberations on the proposed enhanced data protection regulations.
Because the Safe Harbor framework automatically permits data transfers for the whole of the EU, Germany's refusal to grant new permissions has not impacted participating US companies. However, the consequences to US businesses of any disruption to the Safe Harbor framework could range from increased compliance costs and bureaucratic headaches to a complete suspension of services to Europe and the payment of fines and penalties.
At the very least, the regulatory uncertainty caused by the rhetoric in Europe may act to discourage future expansion of EU-based operations. If the Safe Harbor framework is suspended, the EU would deem the US's current data protection laws as inadequate. Each US company with the need to access and use EU personal data would then be subject to the data protection regulations (and associated penalties) of each EU member state.
Fortunately, many of the regulations provide workable exceptions to the permission requirement. However, the administrative burden of either navigating the permission process (if allowed at all) or determining if an exception applied to each data transfer would be highly disruptive to any company's operations.
Source : USA Today