A decision this week by the European Union’s top court about data privacy will not only have a strong impact on commerce between U.S. and Europe, but could eventually improve security protections for Americans, said a security expert from Carnegie Mellon University.
“If we have to change the framework for how we protect European citizens, that may come back to help protect Americans in the long term,” said Lorrie Faith Cranor, director of CMU’s CyLab Usable Privacy and Security Laboratory.
On Tuesday, the European Court of Justice invalidated the Safe Harbor agreement that allows U.S. companies to store personal information about European business affiliates, employees and customers on U.S. computer systems.
The court said the pact violates Europeans’ privacy rights and exposes them to surveillance by the U.S. government.
About 4,500 companies participate in the pact, enacted in 2000, to store payroll information, social media posts, online orders and other data from European business affiliates and customers.
It has come under fire in Europe because of a lack of enforcement by the U.S. Department of Commerce and concerns raised by the case of former U.S. government contractor Edward Snowden who leaked classified government information in 2013.
“One of the reasons this case ended up happening was because of the Snowden leak,” said Ms. Cranor.
In Europe, the EU bars the transfer of data between citizens and countries without required protections. The case originated with a complaint filed in 2013 by an Austrian privacy activist about whether Facebook was adhering to European data privacy rules.
Pittsburgh-area businesses with operations in Europe said they were waiting to receive more information on the ruling.
MSA spokesman Mark Deasy said the Cranberry safety products company’s human resources staff is working on an initiative that would allow MSA to more easily and effectively manage global data about its employees.
The court ruling makes it unclear whether the company will be able to fully take advantage of that tool, Mr. Deasy said.
Covestro, which has its North American headquarters in Robinson and which is majority owned by Bayer AG in Germany, said the ruling “bears no immediate concerns.”
“We are monitoring the situation closely to determine what, if any, impact it will have on how we share data with our European affiliates,” the company said in a statement.
PPG Industries, with manufacturing, research and development operations throughout Europe, said it is reviewing the decision.
”Big companies will be in a better position to find legal work-arounds and implement them than small companies will be,“ said Ms. Cranor.
For businesses, she said, ”I think being able to comply with European data protection rules is commercially beneficial.“
In the U.S., she said, ”We should have better legal protections than we have. Right now we have very minimal legal privacy protections and that is an ongoing concern.“