Patriot Act vs. European law: What Are The Likely Outcomes?
Between the transposing of the EU Data Protection Directive in 1998 and the terrorist attacks in New York in September 2001, trade relations between the United States and the European Union were mutual, bilateral and safe.
The arrangement between the U.S. and the EU — for which both continents vary a great deal on data protection and citizen privacy — were shot down when the Patriot Act was rushed through Congress in October 2001.
The European Parliament is debating its own laws, to determine whether the Patriot Act is a threat to European data.
A senior Microsoft executive has already stated that in, short, the Patriot Act does not allow them to guarantee the safety or privacy of European data.
A clear disparity between the laws is ever present and becoming clearer each and every day.
The question now to ask is: how could the data protection war between the two continents be solved?
The EU could ban cloud companies to force the U.S. into changing their laws.
This would be, if not the most significant measure the European Parliament could take.
Banning any connection to the U.S. cloud would have massive impact on trade and diplomatic relations, and would leave many customers and clients in service hiatus.
Customers could lose access to data already held in an insecure cloud, and have their services cut off entirely, with businesses losing their outsourced communications services.
Or, Europe could ban new cloud contracts being signed by European clients with U.S.-based or wholly owned companies. This would limit the problem from spreading, but not solve the issue in its entirety.
U.S. companies could ’set free’ their EU-subsidiaries so they can operate as self-operated.
Though it is not ideal, and might cause serious legal headaches for wholly owned EU subsidiaries of larger U.S. owned companies, subsidiaries could be allowed to operate independently from their parent organisations.
At the moment, EU companies are controlled by their U.S. parent company and cannot refuse to hand over data. This has been likened to ‘having an argument with yourself’.
The European Parliament could implement some methods to ensure that EU companies are protected under EU law, and therefore could operate independently from their head offices.
But this solution would not go without problems; with EU companies being able to — in theory — detach themselves from their parent company.
The EU could suspend Safe Harbor to prevent EU data leaving Europe.
Safe Harbor allows data to be sent from Europe to the United States, under the premise that organisations receiving the data from their European counterparts agree to the European data protection principles.
If Safe Harbor were to be suspended, this could severely impact cloud service providers, as well as governmental intelligence sharing capabilities.
While the very point of the Patriot Act series when I highlighted that U.S. intelligence agencies could access EU-based data, this would on the flip side have ramifications for intelligence sharing governments across the world; potentially hampering serious investigations into online child abuse and terrorism.
The EU could draft emergency legislation to temporarily block U.S. law, giving time to work on it further.
The most likely option, and far beyond the least damaging. In what form this will take, it is not clear.
The European Parliament could unequivocally state that EU data “must not leave the European Economic Area under any circumstances“. This would solve the problem, as EU subsidiaries would have to abide by local EU law — and could face severe penalties for not doing so.
But this would have implications for the Safe Harbor agreement.
Whether any solution is the “best” solution — or even a solution at all — there will no doubt be a backlash of further problems to consider.
This issue cannot be solved overnight, and will no doubt require fresh EU legislation to be put forward to the European Parliament.