Thousands of companies operating in Europe could already be in trouble for breaking the law by sending data — everything from payroll information to social media updates — across the Atlantic to the U.S. after the deadline for reaching a new trans-Atlantic data transfer agreement passed at midnight on Sunday.
The window for renegotiating the safe harbor deal, which was struck down by the European Court of Justice (ECJ) in October, technically ran out on Jan. 31. But Europe's data protection regulators are not due to meet to hammer out a response to the situation until Tuesday, so officials have a day's grace period in which to find a resolution.
In October the ECJ ruled that a 15-year-old deal that facilitated the transfer of data between Europe and the U.S. was invalid. The ruling came after an Austrian Facebook user, Max Schrems, questioned Facebook's sending his data to the U.S., where, he claimed, mass surveillance by intelligence agencies meant his privacy was being breached.
Following several rounds of negotiations last week, officials from both sides were engaged in intense discussions on Sunday in Brussels with the Department of Commerce and Federal Trade Commission leading U.S. interests. One official described the talks as "constructive but difficult." It is understood that Jean-Claude Juncker, president of the European Commission, is keeping a close watch on the issue and is still confident that a new deal can be struck.
Negotiations -- which Microsoft called "too big to fail" -- continue "day and night," according to a commission spokesperson, but with the data regulators meeting in Brussels Tuesday to outline their response to the current situation, companies of all sizes now won't be sure how to proceed.
It is thought that EU officials want more clarity on just how European citizens will be able to file legal claims in the U.S. if it's found that the U.S. government is illegally accessing their data. There are also concerns on the European side about just how much access intelligence agencies, including the NSA and FBI, will have to records of European citizens that have been transferred across the Atlantic.
The U.S. has agreed to a range of measures which it believes provides a robust privacy framework for European citizens' data, including the Judicial Redress Act, which was given the OK by the Senate Judiciary Committee last Thursday and was seen as the final hurdle in getting Safe Harbor 2.0 concluded. However, a last-minute amendment to the bill upset European officials and prevented a deal being made this weekend.
There were two aspects to the amendment filed by Senate Majority Whip John Cornyn, a Texas Republican: The first allowed U.S. firms to legally handle European citizens’ data, while the second prohibited the overall measure from infringing on U.S. national security efforts. This was seen by European officials as mixing national security concerns with those of commercial operations, which they don't want conflated.
While the deadline of Jan. 31 was set by the data regulators in the wake of the ECJ ruling, the commission stated in early November that it hoped to wrap up negotiations within three months and speaking on Monday, a spokesperson for the commission told IBT: "The aim remains to wrap up talks within that time."
On Monday evening the European Commission's commissioner for justice Vera Jourová is set to present the results of the negotiations to a meeting of the European Parliament committee on civil liberties, justice and home affairs. This is seen as the real deadline for a solution to be reached.
Without a new safe harbor deal in place, the 4,400-plus companies that relied on the system of transferring data from Europe to the U.S. are now in limbo, potentially having to freeze data transfers completely in the wake of threats from data regulators that they will begin enforcing the law immediately. Until the data regulators present their proposals on Wednesday, it's not clear what the penalties will be, though regulators will have the power to stop transfers of data completely.
The impact of not reaching an agreement could be huge. While the lack of an easy and convenient way of transferring data across the Atlantic will hurt all businesses, it us understood that regulators in countries across the EU will target the biggest game, and in this case that means Silicon Valley tech giants like Apple, Microsoft, Google and Facebook.
“The floodgates could be about to open," Nigel Hawthorn, European spokesperson at cloud security broker Skyhigh Networks, told International Business Times. "EU country regulators will no doubt have a long backlog of complaints, and we could see [them] go after some very big fish."
Companies like Microsoft looked to assuage customer concern in the wake of the ECJ ruling in October claiming that it will use other legal avenues -- known as model clauses -- to move data from the EU to the U.S. However, those clauses are set to come under increased scrutiny by data-protection authorities in each country.
Under the existing law, each member state's data regulator needs to assess each individual company's use of model clauses, checking if the protection offered in the U.S. is equivalent to that being offered in the country the data is being sent from. By law they cannot simply enforce a blanket ban on data being transferred to the U.S.
The impact on international trade could be "astounding," according to Annabelle Richard, legal director at law firm Pinsent Masons. She called on the regulators to use common sense when it comes to making their decision on Tuesday. “Data protection agencies need to adopt a pragmatic approach on the issue of data transfers to the U.S.," said Richard.