One of the big topics here in Brussels is the possibility of a new transatlantic data transfer agreement to replace or reinstate Safe Harbor. With a deadline for a renegotiated deal looming, the clock is ticking and businesses are on edge.
That’s why privacy pros flocked today to a Computers, Privacy, and Data Protection Conference panel discussion between FTC Commissioner Julie Brill and the European Commission’s Director for Fundamental Rights Paul Nemitz – both of whom are taking part in current negotiations – to hear the latest developments. Though it wasn’t entirely clear if an agreement will be ready before the
“We’re working very hard to find an agreement that will withstand the judicial review" before the Court of Justice of the European Union, Nemitz explained. “We have been given very clear criteria by the judgment in Schrems.” Additionally, Nemitz highlighted the importance for European citizens to have a right of redress – “essentially equivalent protection in the Safe Harbor” – in U.S. courts.
This could be challenged, however, as two Republican senators attached an amendment on the proposed U.S. Judicial Redress Act, on Wednesday, thereby sending it back to the House of Representatives and ensuring, at the very least, a delay in passing the bill. Action is being taken on the bill as this piece publishes.
During the panel discussion, Nemitz said the FTC has a large role to play “and we hope that it will be possible to find a solution over the next days with the U.S. government."
“I think we need to take it one step at a time,” Brill said. “My view is that there are a lot of good proposals on the table … There is absolutely a path to yes and we need to get to yes. I don’t have a crystal ball, but I do think we ought to get to yes, and we ought to get to yes rather quickly.”
[quote]The fundamental issue, FTC Commissioner Julie Brill said, is the definition of essential equivalence.[/quote]
The fundamental issue, she said, is the definition of essential equivalence.
Brill argued that the CJEU did not address it at all in the Schrems decision, and that, rather, it focused on national security and mass surveillance.
“If the European Commission is saying it needs this,” Brill said, “the U.S. side is listening, and have put a number of provisions on the table, but it’s important that the data protection authorities in Europe get involved and be part of the solution. We need to have a partner that will cooperate with us – that it needs to be a two-way street.”
Brill warned that the Schrems decision placed a large onus on EU DPAs, and asked whether they’d have the capability and resources to do their job: “The job the court has given them is huge, and they’re going to need help.”
Nemitz welcomed Brill’s comments here, hinting that under the current proposal, the FTC has the first right to act. If it doesn’t take up a case, then there are other ways that a complaint could be handled. “We have a historic role with DPA oversight,” he said.
Regarding essential equivalence and the Schrems decision, Nemitz pointed out that the CJEU is not a court driven by party presentation, noting that the court investigates the issues on its own. “You can be damn sure that our judges knew exactly what they were judging about and why they were saying there cannot be continuous mass surveillance because that would be the end of democracy,” Nemitz exclaimed at one point.
[quote]“You can be damn sure that our judges knew exactly what they were judging about and why they were saying there cannot be continuous mass surveillance because that would be the end of democracy,” Director for Fundamental Rights at the European Commission Paul Nemitz exclaimed at one point.[/quote]
“Paul is proving my point that this is an important part of the discussion,” said Brill. “What I’m trying to say, if one does look at the facts in the U.S., one would have to find we have put in place lots of provisions that deal with these issues with respect to proportionality; and these facts were not considered by the [CJEU].”
Though Brill and Nemitz disagreed on the definition of essential equivalence, there appeared to be the possibility that a political agreement could be reached within days.
“We hope to reach an arrangement that is acceptable to the European Commission by Monday,” Nemitz said, “and Monday evening we will go to the LIBE Committee of the Parliament. On Tuesday, the college will meet and make its decision. If we have a finding, we will explain why we have a finding; if not, we will explain why not.”
Nemitz was also careful to point out that the European Commission is the negotiator in the talks, and that for any deal to be reached, a new arrangement would have to withstand the scrutiny of the CJEU.
“If there is a finding, we will propose a decision of adequacy to the Member States, who have to deliberate,” Nemitz explained. “It’s the Commission that decides in the end, but it needs the backing of the Member States.”
“If we have a finding, the process will go smoothly,” he added.
Though the European Parliament has a limited role in the Safe Harbor talks, it does have a legitimate interest. That’s why, according to Nemitz, Vera Jourová will go to Parliament and explain the finding Monday night.
[quote]“I’d like to remind every one that we have much bigger problems to deal with than this,” FTC Commissioner Julie Brill warned. “If we can’t solve this problem, we’re in big trouble.”[/quote]
Even though details of any potential agreement are not known, IAPP Vice President of Research and Education Omer Tene described how complicated it will likely be. “I haven’t seen the language of the new Safe Harbor,” said Tene. “I would assume that given the GDPR has already passed, the Safe Harbor will have to incorporate not only the rights under the 95 Directive, but also the new rights under the GDPR – like, for example, the right to be forgotten and data portability.”
Though a new data-transfer agreement is paramount, Brill pointed out that these negotiations are a smaller part of a bigger issue involving rapidly evolving Internet-of-Things technology, widening data security risks, and chances for great privacy harm to people around the world.
“I’d like to remind every one that we have much bigger problems to deal with than this,” she warned. “If we can’t solve this problem, we’re in big trouble.”