Parties Disagree Whether Safe Harbor 2.0 Can Happen In Time
With companies that send personal data to the U.S. facing a January deadline to find legal transfer mechanisms now that the safe harbor agreement is dead, the question is whether the EU and U.S. can successfully negotiate "safe harbor 2.0." Max Schrems, whose challenge to the Irish data protection commissioner over Facebook's storage of Europeans' personal information in the U.S. led to the Oct. 6 European Court of Justice (ECJ) decision overturning agreement (see 1510060001), predicted there would be no new agreement. Privacy lawyers we spoke with said there will likely be another safe harbor but that many obstacles remain. European Justice Commissioner Vera Jourová, who updated the European Parliament Civil Liberties Committee Monday on negotiations with the U.S., said progress is being made but agreement won't be easy.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Since the ruling, the EC has been working closely with the Article 29 Data Protection Working Party (WP), which on Oct. 16 issued a statement on the ECJ judgment (see 1510160030), Jourová said. The WP said organizations can continue to use standard contractual clauses and binding corporate rules as mechanisms for data flows to the U.S. If by the end of January no appropriate solution with the U.S. has been found, and depending on their assessment of other data transfer tools, data protection authorities (DPAs) will take all necessary and appropriate actions, including enforcement actions, to ensure that personal data is protected, it said. The EC "feels strongly" that businesses need maximum clarity in the meantime, said Jourová. It will "soon" issue an explanatory statement on the ECJ ruling and will continue talks with DPAs on a uniform approach, she said.
Given that safe harbor was a central avenue for data flows to the U.S., it's "crucial" to conclude talks on a new framework on a higher data protection level, said Jourová. The new arrangements must comply with the ECJ ruling, so the EC needs more clarifications from the U.S. on several points, she said. Several technical discussions have been held with the U.S. and the commissioner is going to Washington in mid-November, she said. The discussions "are not easy," she said.
Under the judgment, the U.S. must offer privacy safeguards that are "essentially equivalent" to Europe's, said Jourová. A self-verification regime like safe harbor must have adequate detection and supervision elements such as transparency, enforcement and redress, she said. The U.S. agrees in principle with stronger cooperation with DPAs and to other changes that will make the system an oversight one, but the two sides are discussing how to make that binding, she said. In addition, safe harbor is a living document that needs regular reviews, and both parties have agreed on a joint annual review, she said.
The "biggest challenge" in the ECJ judgment is how to provide clear limitations and safeguards for law enforcement and national security, Jourová said. The U.S. has made several reforms, such as the USA Freedom Act, and the EC is already seeing more targeted surveillance activities, she said, noting the current bills in Congress to grant Europeans the right to redress for misuse of their data. The EC now must focus on these and other elements to see how they meet the requirements of the judgment, she said. The EC needs lawmakers' help to convince the U.S. of the need for further steps, she said.
The U.S. and EU are scurrying to agree on safe harbor 2.0, but Schrems said at an Oct. 21 discussion in the European Parliament that he doesn't think it will happen. The ECJ invalidated safe harbor on the grounds of U.S. mass surveillance and the lack of legal redress for those whose information is abused, he said. The court also defined "adequacy" (of data protection in non-EU countries) as "essentially equivalent" to EU privacy protections, and the safe harbor principles don't meet that test, he said. Safe harbor 2.0 would mean, among other things, that mass surveillance must cease and judicial redress provisions be enacted, Schrems said. The U.S. will likely say there's not much in safe harbor 2.0 for it, he said. He said this isn't U.S.-bashing, because EU nations are also carrying out mass spying and could be subject to the same challenges in the EU high court.
Schrems' view is "too pessimistic," said Linklaters attorney Tanguy Van Overstraeten, who heads the firm's global data protection practice. The EU and U.S. have discussed a new agreement for two years and, before the ECJ decision, apparently were close to resolving all the issues, he said. The court's focus on too much access by intelligence agencies and no redress right for EU citizens corresponds to the two recommendations that were still outstanding between the EC and U.S. authorities, he said. "It is difficult to address whether and how long it will take to resolve them as the discussions are obviously confidential," he emailed. Even if agreement is reached, the new version will be a recognized solution for data transfer "unless and until a potential review" by the EU high court.
Safe harbor 2.0 faces other hurdles, lawyers said. In their current form, the data-sharing rules in the Cybersecurity Information Sharing Act working its way through the Senate "will make it less likely that there will be a SH 2.0 that complies with all privacy standards of the ECJ," German data protection expert Axel Spies emailed. A new agreement "will eventually happen, but I predict that there will continue to be disputes about whether it provides an adequate level of protection," said Hogan Lovells (London) data protection attorney Eduardo Ustaran. The ECJ "has set a very high bar for Safe Harbor 2.0," he emailed.
Indications are that the Department of Commerce and the EC are intent on concluding safe harbor 2.0 as quickly as possible, together with the associated developments that will help address the issues raised in the ECJ ruling, said Baker & McKenzie (Chicago) technology and communications lawyer Brian Hengesbaugh. That the House has passed implementing legislation for the U.S.-EU "umbrella agreement," which would give Europeans a private right of action, is a further sign the U.S. intends to ink the deal, he said. Both sides recognize the importance of a safe harbor 2.0 arrangement "and we expect them to drive this to conclusion asap so as to avoid the collective action threatened by the EU data protection authorities at the end of January," he emailed.
Irish Data Protection Commissioner Helen Dixon, who was ordered by Ireland's High Court to review Schrems' complaint about Facebook, said Oct. 20 her office will do so "with all due diligence." Meanwhile, the use of other transfer mechanisms may become problematic after German state DPAs Monday issued a joint statement (in German) saying they will "currently" no longer approve any new binding corporate rules or "any data export agreements" for transfers to the U.S., Spies said. He predicted lawsuits, saying many companies may be unwilling to accept those restrictions.