EU-US Safe Harbor Data Flow Talks Still Sticking On Surveillance

As the three-month deadline for Europe and the U.S. to agree a new transatlantic data transfer deal looms, EC officials are briefing that the U.S. needs to do more to improve transparency around its government mass surveillance programs in order to secure an agreement.

The prior fifteen-year-old Safe Harbor executive decision was struck down by the European Court of Justice last October on data protection grounds, invalidating data transfers legalized under the old regime and leaving businesses scrambling to comply with the various alternative mechanisms left to them to govern data-sharing activity between Europe and the U.S.

Although all sorts of businesses have used Safe Harbor to govern data flows, many U.S. Internet companies offering service in Europe are affected — given the typical cloud business structure involves harvesting users’ data and moving it to another region for processing.

Giving a speech in Brussels yesterday, Vĕra Jourová, the European commissioner for Justice, Consumers and Gender Equality, reiterated that the EU needs guarantees from the U.S. that principles of necessity and proportionality would be applied when authorities request data from private companies.

“We need guarantees that there is effective judicial control of public authorities’ access to data for national security, law enforcement and public interest purposes,” Reuters quotes Jourova as saying. Discussions between EC officials and their American counterparts are taking place in Davos this week, on the margins of the World Economic Forum.

State agencies’ access to data has been a long-standing sticking point for the Safe Harbor renegotiations, which have been ongoing since 2013 — when NSA whistleblower Edward Snowden revealed the extent of U.S. government agencies’ access to commercial data.

The ECJ ruling made the challenge for securing a new deal more explicit, given the judgment flags mass surveillance as in conflict with fundamental European data protection rights — rights which will be strengthened by a new data protection directive agreed at the end of last year and due to come into force from 2018.

Last November, Jourová said the EC is “strongly following” developments in the U.S. regarding surveillance and national intelligence reform — describing the USA Freedom Act, which has sought to place limits on government mass surveillance programs, as “good progress” on this front.

However, also speaking last fall, Commissioner Andrus Ansip suggested the U.S. will in fact need to legislate for enhanced data protection if it wants to secure a new agreement on European data transfers. “It is up to lawyers to say what exactly will be needed but I think that a legally binding administrative decision will be needed to make this Safe Harbor 2.0 Safe Harbor bulletproof according to my understanding,” he said at the time.

Yesterday, discussing the current state of negotiations, Jourova said the EC is seeking more transparency on the limits U.S. security services have for collecting personal data.

According to Reuters’, one sticking point is U.S. resistance to a mandatory system for companies to report numbers of U.S. government access requests. One mooted alternative is for the U.S. to supply data on how often its authorities are accessing personal data on national security grounds as part of an annual review.

In her speech, Jourová specifically emphasized “judicial control” of state access to data, saying: “We need guarantees that there is effective judicial control of public authorities’ access to data for national security, law enforcement and public interest purposes. Last but not least, we need U.S. Congress to adopt the Judicial Redress Act, in order for EU citizens to enjoy the rights US citizens already enjoy under the 1974 Privacy Act.”

“This is a precondition for the conclusion of the Umbrella Agreement,” she added.

Time is clearly running out to seal a deal by the deadline imposed by the EC last autumn — with less than two weeks before the Commission’s end of January deadline expires.

Earlier this week Politico reported a deal by the end of the month is looking unlikely, citing sources close to the negotiations saying an agreement by January 31 is “unrealistic”.

If no new Safe Harbor deal is in place by January 31, it is possible that European data protection agencies could start taking enforcement action against companies judged to be no longer in compliance with European privacy law. And here state surveillance activity is again problematic — with Facebook, for example, already the subject of several updated privacy complaints on this ground, filed by campaigner Max Schrems at the end of last year.

Last week U.S. and European trade groups warned of potentially “enormous” consequences for “thousands of businesses and millions of users” if a “comprehensive and sustainable” transatlantic data share agreement is not reached by the end of the month.

There are alternative mechanisms available governing EU-US data transfers in the current Safe Harbor-less limbo, however it’s clear business groups do not relish this more complex data-sharing compliance scenario, nor the increased risk of enforcement action by national DPAs from next month.