Safe Harbor Deadline Passes Without A New Deal On Transatlantic Data Flows — Yet

A deadline to agree a new deal to govern transatlantic data transfers has passed without agreement on a new, safer ‘Safe Harbor’. But talks are continuing — and Věra Jourová, the EC commissioner heading the negotiations from the European side, said today that a deal “is close”, although she emphasized that “an additional effort is needed”.

The original fifteen-year-old Safe Harbor agreement, which had allowed some 4,700 companies to self-certify they would provide adequate protection of European citizens’ data once it was in the U.S. for processing, was ruled invalid by Europe’s top court, the ECJ, in October last year, leaving businesses scrambling to figure out how to operate legal data transfers in the meanwhile, while US and EC officials tried to hammer out a new agreement.

The deadline to seal a new deal was set by the EC back in November, giving negotiators three months to set out their stalls, before any European Data Protection Agencies would start enforcement actions against companies suspected of breaching European law. Now that deadline has passed, there’s nothing to stop DPAs starting enforcement actions. Although if a new Safe Harbor deal really is close the current legal limbo may close up soon enough.

Or that closeness may turn out to be the deceptive proximity of parallel legal universes.

Sticking points for the European negotiators are that it is still looking for further clarification on transparency and effective oversight, according to a spokeswoman for Jourová, who is the Commissioner for Justice, Consumers and Gender Equality.

Making a statement in the European Parliament on the current state of play, Jourová fleshed out these sticking points in more detail. The agreement must be “fundamentally different” to the old Safe Harbor, she asserted, and must be able to withstand any future legal challenge — such as the case brought by Max Schrems that led to the ECJ striking down the original agreement last year.

“We have tried hard to obtain commitments from the US to ensure that any new arrangement meets the requirement of the court ruling. We are aiming… for a robust new system that unlike Safe Harbor ensures that any individual complaint is resolved, includes guarantees that access by public authorities is limited to what is proportionate and necessary, and third main different from the old Safe Harbor, this new arrangement will be closely monitored and reviewed on a regular basis with the involvement of national security bodies and data protection authorities,” she said.

“I will not hide that these talks have not been easy. It is not an easy task to build a strong bridge between two legal systems which have some major differences. But I believe that the close partnership between Europe and the US deserves these special efforts,” she added, throwing a little soft soap over what have evidently been some pretty spiky late night discussions.

Jourová has previously said that the US adopting the Judicial Redress Act is a necessary step to achieving a new deal — to provide a path for EU citizens to sue over privacy complaints in the US. A Senate judiciary committee passed the Act late last week. However it also passed a last minute Republican amendment that provides for an exception on national security grounds — thereby undermining the entire point of the measure, from an EC perspective. Not the greatest message to send to negotiations hanging in the balance at the eleventh hour then…

On national security agencies’ access to data point, Jourová today reiterated there must be “limitations and safeguards”, as well as independent oversight and redress. She also reiterated there can be “no indiscriminate mass surveillance”. (The key irony word there being indiscriminate — more on that below…)

“The Schrems ruling has made clear that [public authorities’ data] access must be limited to what is strictly necessary,” she said. “The US framework has evolved since the Snowden revelations, there have been important reforms under President Obama introducing stronger oversight and more transparency.

“In the context of our negotiations we are obtaining specific written assurances from the US that access by public authorities to personal data transferred from Europe will be limited to what is necessary and proportionate. These assurances must confirm that there is no indiscriminate mass surveillance and that safeguards for individuals also apply to non-US persons.”

Specifically, Jourová said it is necessary for the US to create a “functionally independent body” — such as an ombudsman — which could answer complaints by European citizens about the use of their data by public authorities in the US.

She also said the negotiators were working on “a last resort mechanism” to ensure all complaints are resolved “through a binding and enforceable decision”. She noted that the FTC is more involved in setting strategy than individual complaint handling. And said it will be necessary for EU DPAs to have “an active role” in handling complaints. No complaints by European citizens about data privacy should go left unanswered, she stressed.

“This is essential for a new arrangement. Given that the right to legal remedy is enshrined in our charter of fundamental rights,” she said.

Jourová also made it clear that any new agreement would itself be subject to ongoing oversight. So no more deals that run on unchecked for fifteen years. Instead there would be an annual joint review process looking at “all aspects of the arrangement”.

“Let me be very clear, we will need to continue to monitor developments in this area also in the future… This will not be one off decision. This means the start of monitoring because what we need now is trust. But we also have a duty to check,” she said.

The article 29 Working Group, comprised of representatives of all of the national DPAs, is due to hold a press conference on Wednesday in which they will discuss findings of their own impact assessment of the ECJ ruling on the alternative data transfer methods that must now be used instead of the invalidated Safe Harbor. So it remains to be seen whether they will be champing at the bit to start actions against potential infringers.

The DPAs are a varied bunch. Some, such as the UK’s ICO, frequently appear tonally far more pro-business than pro-privacy/pro-consumer. Whereas the reverse is true for France’s CNIL, or German DPAs, such as the Hamburg DPA. So how different DPAs react is going to be interesting to watch.

(At the end of last year, European privacy campaigner Max Schrems filed multiple updated complaints against Facebook, in light of the Safe Harbor strikedown, lodging the complaints with three different DPAs. Schrems has also said he intends to file more complaints against other tech companies, who should be braced for others to follow suit. And for DPAs who have more fire in their belly for consumer rights to start showing some teeth.)

That said, Jourová said talks would be continuing this evening to try to close the final gaps — so the hint is that a new deal is in fact very close.

“Finally we need commitments by the US that are formal and binding. And as this will not be an international agreement but an exchange of letters we need signatures at the highest political level and publication of the commitments in the federal register,” she added.

A sense of deja vu… 

However, for all her tough talk, Jourová was savaged during questioning by MEPs with criticism that any new Safe Harbor should be based just on an exchange of letters, rather than being a fully fledged international agreement.

She also revealed the rather salient detail that the fledgling agreement that’s still being hammered out does in fact allow for “generalized access” to data (i.e. non-targeted, mass surveillance) by the US intelligence agencies in certain circumstances… As they say, the devil really is in the detail.

https://twitter.com/maxschrems/status/694247648279318528

“Generalized access… may happen in very rare cases. In fact under three circumstances: if the tailored and targeted access is not technically or operationally possible; or if they see some very dangerous trend that needs more than targeted access. But we warn in our negotiations our American partners that this targeted access must be really prior one, it cannot be swallowed by the generalized access,” said Jourová.

She added that the EC requires these exceptions to be “very precisely described”, and to be checked via an ongoing oversight process by an independent ombudsman. But she also used the T word: trust. So it looks like the frenzied US lobbying and political pressure being brought to secure a new agreement on data flows might well have borne fruit.

All of which roundly failed to impress the man who brought down the last Safe Harbor agreement…

https://twitter.com/maxschrems/status/694248687187423233

https://twitter.com/maxschrems/status/694252591082029060

https://twitter.com/maxschrems/status/694253588525223936

https://twitter.com/maxschrems/status/694258411287007236

So, the upshot of the Safe Harbor negotiations as it stands: no legal certainty for businesses wanting to export data from Europe right now, and little legal certainty in future if the EC folds on concessions on mass surveillance — only for the ECJ to unpick that second agreement in future.

In a statement responding to developments, the US Centre for Digital Democracy dubbed it an apparent “capitulation” by the EU to US negotiators.

“The Obama Administration appears to have successfully brokered a deal that lets Google, Facebook and the other major US data companies avoid changing their business practices.  The EU’s capitulation to the U.S. negotiators puts European citizens in great peril.  Forcing them to appeal first to U.S. corporations before going to their own government regulators undermines their fundamental right to privacy,” it writes.

“Given the lack of transparency in the operations of these powerful global digital media companies, it will be impossible for individuals in the EU to even know when their data protection rights have been violated. The US does not have the necessary privacy and consumer protection laws for safeguarding its own citizens.  Nor does the Federal Trade Commission have sufficient authority to regulate the complex and massive “Big Data” apparatus that poses such unprecedented threats to everyone’s privacy.”