Safe Harbor 2.0: US-EU Data Protection Talks Are Coming Down To The Wire

The fundamental way the internet works is at risk because bureaucrats in Europe and the U.S. cannot agree on how data should be transferred across the Atlantic Ocean. If a deal can’t be struck in the next 48 hours, it will force some of the world’s biggest technology powers, such as Amazon.com, Apple, Facebook and Google, to fundamentally change the way they operate.

Intensive negotiations are taking place in Brussels and will likely continue long into the weekend as officials on both sides attempt to rework the Safe Harbor Privacy Principles agreement that was struck down by Europe’s top court in October. That pact allowed U.S.-based tech companies to move user data seamlessly across borders, but it was struck down in the wake of revelations about the mass surveillance being conducted by U.S. intelligence agencies.

“The trans-Atlantic economy as a whole is dependent on a successful outcome,” Microsoft Corp. general counsel Brad Smith said at the World Economic Forum annual meeting in Davos, Switzerland, last week. “These negotiations are too important to fail.”

Big companies such as Microsoft, Apple Inc., Facebook Inc. and the Google unit of Alphabet Inc. have reacted to the European Union court ruling by saying they had other mechanisms in place (known as model clauses) to ensure they complied with European data-protection laws, but those clauses are set to come under increased scrutiny by data-protection authorities in Europe unless a new Safe Harbor deal is implemented. Meanwhile, a powerful group of data-protection authorities across Europe are also meeting to finalize new measures to help scrutinize these mechanisms and prohibit the transfer of data outside the EU if necessary.

Officials at the European Commission told International Business Times the Brussels negotiations will “almost certainly” drag into the weekend. The deadline set by the group of data-protection authorities known as the Article 29 Working Group for a new deal to be hammered out is Sunday, but negotiators are believed to have a couple of days of breathing space.

The data-protection authorities said they would not go after companies that continue to use the original Safe Harbor agreement until after Jan. 31. However, the group isn’t scheduled to hold a meeting Feb. 2, meaning nothing is likely to happen on the enforcement side until Wednesday at the earliest.

The exact details of the issues holding up the negotiations are unknown, but officials told IBT two of the main sticking points relate to “transparency and effective oversight” and that the European side needs more clarity from the U.S. side on these matters. At the Computers, Privacy and Data Protection conference, which is coincidentally being held in Brussels this week, the chatter on the U.S. side was much more positive than on the European side.

‘Optimistic’ About a Compromise

Ted Dean, deputy assistant secretary for services at the U.S. Commerce Department, which is leading the U.S. negotiating team, said a deal was “attainable” and that he was “optimistic” about a compromise being reached. “The current administration is looking forward to getting the Safe Harbor agreement done,” Dean said.

However, Bruno Gencarelli, head of the data-protection unit within the European Commission, did not appear to believe such an agreement was close. “We are not there. We need movement. The worst outcome is a second annulment,” Gencarelli said.

The movement Gencarelli spoke about was thought to have come Thursday, in the form of the Judicial Redress Act, which was passed by the U.S. Senate Judiciary Committee by a 19–1 margin and will now come before the full Senate where it is expected to approved easily. The Judicial Redress Act is designed to extend to EU citizens the same privacy rights that U.S. citizens enjoy. It will also allow European citizens to access any records shared by their governments with the U.S. government, amend those records in the event they are incorrect and potentially sue the U.S. government should it illegally disclose their data.

However, a last-minute amendment to the bill by Senate Majority Whip John Cornyn, a Texas Republican, has thrown a monkey wrench in the works. The amendment was aimed at appeasing concerns on the U.S. side that the bill in its original form was a giveaway to Europeans.

There were two aspects to the amendment: The first allowed U.S. firms to legally handle European citizens’ data, while the second prohibited the overall measure from infringing on U.S. national-security efforts.

The changes made in the proposed legislation have not gone down well in Brussels, with one official telling IBT the Europeans viewed the Judicial Redress Act as an “important step forward” but that they were “not happy” with the last-minute amendment. As the Europeans see it, the issue is that the bill now mixes commercial concerns with national-security concerns.

Negotiations over a new deal to facilitate the transfer of data between the EU and the U.S. have been taking place for more than two years, but talks were given serious impetus in October when the European Court of Justice ruled that the original Safe Harbor agreement, in place since 2000, was deemed invalid as a result of concerns over mass surveillance in the wake of leaks made by Edward Snowden, a former contractor at the U.S. National Security Agency.

At the time it was struck down, the Safe Harbor pact was employed by more than 4,400 companies of varying sizes to transfer data between the EU and the U.S. but with that arrangement set to officially expire Sunday and without a new deal in place, many of these firms will be left facing an uncertain future.

‘Too Important to Fail’

This week, Twitter Inc. updated its privacy policy to explicitly state: “We’ve also removed the EU Safe Harbor Framework section” -- but this may not be enough to appease data regulators across Europe.

For the thousands of small and midsize companies that conducted business under the Safe Harbor agreement, the lack of a comprehensive deal will leave them high and dry, and Europe’s data regulators are leaving those firms in no doubt that they will be enforcing the law. “It is evident that we will sanction any transfers of personal data which are solely based on the old Safe Harbor decision,” Johannes Caspar, the head of Germany’s data-protection authority, said recently.

While many see European and American views on data privacy as diametrically opposed, some disagree with this assessment. “I do not think there is a fundamental difference,” Maarten Meulenbelt, a partner at the law firm Sidley Austin LLP in Brussels and an expert on EU privacy matters, told IBT. Meulenbelt and his colleagues outlined their arguments that privacy protections on both sides of the Atlantic are largely the same in a comprehensive report published this week and titled “Essentially Equivalent.”

There is an argument, fueled by Snowden’ revelations, that the U.S. does not share the same concerns as the EU about data needing to be protected as a fundamental right, but Meulenbelt noted “there is case law in the U.S. that shows [data protection] is directly linked to the Constitution.”

One problem is that while the EU has a single law encompassing the whole union — the EU Data Protection Directive — there is no such omnibus law on the books in the U.S.

However, there are a range of separate structures in place that offer a patchwork solution as comprehensive as that which is in place in Europe. These range from the Fourth Amendment of the U.S. Constitution to federal laws governing particular parts of the American economy, such as the Health Insurance Portability and Accountability Act, to state-level legislation. Along this line, Meulenbelt pointed out, “California for example has over 100 laws with data-protection provisions in them.”