US-EU Safe Harbor Data-Transfer Talks Enter Final Week

As negotiations on a key transatlantic data-transfer agreement enter the final week, before the EU’s end of January deadline, senior US and EU officials have been discussing the state of play at the Safe Harbor talks table.

“We have a comprehensive offer that we are refining right now, that creates what’s called ‘essential equivalents’ which is the standard that needs to be met in order for Safe Harbor to receive what’s called an adequacy determination,” said Penny Pritzker, U.S. Secretary of Commerce, summing up the current state of discussions from the U.S. point of view.

Although talks have been ongoing to update the EU-US data-sharing deal since the Snowden revelations of 2013, a fresh imperative was created last October when the fifteen year old Safe Harbor framework was struck down by the European Court of Justice (ECJ) — leaving some 4,500 business scrambling to comply with alternative mechanisms to govern transatlantic data transfers. The ECJ decision ruled that US government mass surveillance programs violated fundamental European data protection rights.

Speaking during a discussion at the World Economic Forum in Davos this weekend, Pritzker said the two sticking points in the talks to secure a new Safe Harbor agreement are national security agencies’ access to data — “what kind of information is available about activity that is done for national security and how do those affect privacy” — and how to structure a system for European Union citizens to make privacy complaints in the US.

“Our intelligence community and law enforcement have detailed for the EC the legal authority and oversight that has been put in place particularly post-Snowden with the Presidential directive. And that includes privacy protections for citizens of all nations. And it very much aligns with the requirements of the ECJ,” said Pritzker, giving sparse detail on the national security point.

She talked at greater length about complaints mechanisms.

“The other big issue is the issue of how to address if a European citizen has a complaint about privacy. And we’ve taken that issue very seriously. It’s a very important issue. We take privacy very seriously in the U.S. and we take the issue of addressing this very seriously,” she said.

“We’ve developed multiple — seven — pathways for EU citizens to address their concerns about compliance. And then we’ve developed significant also new frameworks and commitments from U.S. agencies to provide enforcement and resolve these complaints using our FCC which drives privacy now.”

Last week, giving a speech in Brussels, EC commissioner Vĕra Jourová flagged up both issues. “We need guarantees that there is effective judicial control of public authorities’ access to data for national security, law enforcement and public interest purposes,” she said on the national security data access point.

Jourová also stressed that the U.S. Congress adopting the Judicial Redress Act is a precondition for the conclusion of an agreement — “in order for EU citizens to enjoy the rights US citizens already enjoy under the 1974 Privacy Act”.

Pritzker did not mention this precondition. Instead she made the point that the fifteen years of the prior agreement had resulted in only “four referrals” from EU data protection agencies to the FTC.

“Let’s keep in mind something really fundamental. For the last fifteen years, almost 4,500 companies from both sides of the Atlantic have benefitted from Safe Harbor. In those fifteen years there have been four referrals from EU data protection agencies to our FTC. Four unresolved complaints about privacy and all of those got resolved,” she said.

“We’re at a point where… it’s time for us to act and to stand together and to demonstrate to companies and to the ECJ and to all interested stakeholders that we’ve come a very long way. And that the thing to keep in mind is that there’s an annual review of the Safe harbor that’s now built in. So we have to recognize that all of these good folks are evolving technology probably faster than governments can react but we’ve set up mechanisms to recognize that the landscape will change and the solutions today will have to evolve,” she added.

Giving the European view on the Davos panel, Andrus Ansip, EC VP for the Digital Single Market, described himself as optimistic and confident the two sides would “reach consensus” — pointing to agreement over an annual review process as a key mechanism to resolving disputes within the new Safe Harbor.

“We cannot compare this Safe Harbor we will have, I hope we will have, with this Safe Harbor we had in the year 2000. Now there will be more transparency, we will set institutions of ombudsman. The dispute resolution mechanism, which is really important according to my understanding, it will be a process to make Safe Harbor even more safer. Because there will be annual review,” he said.

“I would like to say that we made progress and we had to ramp up those negotiations and we had to deliver because time is running out.”

Pressed on whether his view is the agreement is not quite there yet, Ansip again pointed to the “review clause” as a key development in the negotiations. But also noted that the ECJ is another check and balance that cannot be ignored.

“When I said that according to my understanding, according to this new Safe Harbor data of European citizens will be treated as data of Americans in the US then it means something. We really made efforts. So if there will be some kind of doubts then this review clause it makes sense and of course I asked for bulletproof solution but if it will be not bulletproof then we can be absolutely sure the ECJ will intervene once again. So this is a process.”

Providing a commercial perspective on the negotiations, Brad Smith, president and chief legal officer at Microsoft, said in his view the talks are an opportunity to bring much needed “clarity and coherence” for businesses when it comes to how they are regulated on privacy in Europe. But he also said there is room for “more transparency steps” by the US government — to resolve the surveillance sticking point and help restore trust.

“If people in Europe are going to trust American companies we need to be accountable. People will not trust institutions that are not accountable. Privacy is a fundamental human right. Rights need to have remedies. Remedies need to be real and effective. And if the FTC can and does act that can give people confidence. And if the FTC doesn’t act in a particular situation I don’t know that that means there should be no role for local data protection authorities,” said Smith.

“If a negotiation can lead to an outcome where US companies large and small will know who it is that they’re accountable to that would be a huge victory I believe for the cause of commerce and privacy,” he added.