With a January 31 deadline looming and the Judicial Redress Act languishing in the Senate, it is imperative for Congress to act quickly to take an important step in finding a replacement for Safe Harbor and ensuring that small digital businesses can continue to operate in Europe.
Following a citizen complaint involving Facebook, the European Court of Justice ruled in October that the US-EU Safe Harbor agreement, in place since 2000, was invalid. The immediate focus was understandably on the large tech companies that handle massive amounts of data: Facebook, Google, Microsoft, etc.; the impact on smaller companies that also depend on data, is being overlooked.
In many ways, rapidly implementing a new Safe Harbor agreement is far more critical for small businesses, and the consumers they serve, than for large companies. The largest global companies have the resources and the ability to negotiate new privacy practices with the myriad national and regional regulatory bodies across Europe.
I started my company in 2011, and approximately 10-15 percent of our business is in the European Union. The data we curate travels around the globe instantly. Under the Safe Harbor agreement, we were able to work with companies from EU member states to present users anywhere in the world with an opportunity to provide feedback and trainings.
This information collected from users can be transferred to any number of servers around the world, collected and processed in the United States and then shared with our customers in Europe. While doing so, we also comply with rigorous U.S. federal and state privacy regulations.
The digital world is truly flat, but the court’s decision fails to recognize this. The result is an attempt to create digital borders – borders that don’t inherently exist in our modern digital world – that prohibit data flows unless your business has the resources and time to have separate agreements with multiple EU state governments.
More than 4,000 small businesses relied on the Safe Harbor agreement. Without it, and without clear guidance in place, I do not know how Apptentive will continue to operate in Europe. Starting February 1, 2016, if Germany implements data privacy laws differently than France, it would be nearly impossible for us to decipher which regulatory framework we are required to follow when we curate feedback data from a German user, through a server in the U.S., and deliver it to a French company.
Large companies can hire teams of lawyers and privacy experts to navigate the labyrinth of regulations, and to ensure compliance across the numerous EU member states and regional jurisdictions. They can build server farms in Europe to circumvent the concerns over transferring data to the U.S., as Microsoft just did.
As a small company, these solutions are simply not possible.
The U.S. and EU must work quickly to enact a new agreement. To alleviate European concerns, the U.S. Senate should follow the House and pass the Judicial Redress Act, a critical step in repairing the damage done by widespread surveillance by some U.S. government entities.
Passing, and ultimately signing into law, the Judicial Redress Act would send a clear signal to our EU allies that the United States is committed to ensuring that the international marketplace remains open to businesses of all stripes and sizes.
Without it, small and medium sized businesses will be left out of European markets, a result that is detrimental to American businesses, and consumers around the world. I call on both sides to quickly reach a reasonable agreement that creates a unified regulatory framework that allows companies to operate in Europe.