Greetings from Brussels!
At the time of this writing, the countdown to the Safe Harbor 2.0 (aka, the Transatlantic Data Protection Framework) deadline has begun; we are 10 days away from the deadline set by the A29 Working Party for a new agreement between the EU and U.S. on data sharing. Whatever the outcome, it will have significant implications on European and U.S. organizations' ability to engage in a range of transatlantic transactions. It has been no secret here in Brussels that the tech and business community hope that a new Safe Harbor will bring the assurances that they have been seeking since the original framework was struck down.
For a refresh, the European Court of Justice struck down the agreement last year on the grounds that the U.S. could not adequately protect users’ privacy because of its “indiscriminate” surveillance practices. The degree of access that U.S. intelligence agencies will retain going forward remains a sticking point in the negotiation of a new agreement. The EU is pushing for more transparency in what data the U.S. is collecting. More specifically, the EU wants guarantees from the U.S. that the principles of necessity and proportionality will be applied when authorities request data from business.
Around 4,000 companies were making use of the previous Safe Harbor agreement, most of which are small- and medium-sized enterprises. They were able to self-certify that their protection of data was of a standard equivalent to that provided in the EU. Speaking in Brussels on Monday, EU Commissioner for Justice, Consumers and Gender Equality Vera Jourová said “only a comprehensive arrangement with clear legal commitments” could ensure the level of data protection Europeans were entitled to under EU law.
Four of the big U.S. and European trade groups recently signed a joint letter urging negotiators to meet the 31 Jan. deadline. Signed by the heads of Business Europe, Digital Europe, the U.S. Chamber of Commerce, and the Information Technology Industry Council, the letter dated 15 Jan. was addressed to both European Commission president Jean-Claude Juncker and U.S. President Barack Obama. The tone of the letter could not have been clearer: Industry warned of the enormous fallout for businesses, customers and users if the two sides fail to reach a new deal. The future of the expanding transatlantic digital market and economy is clearly at stake.
At a recent event in Brussels, Brad Smith, Microsoft president and chief legal officer (and a keynote speaker at the upcoming Global Privacy Summit in Washington), said the talks were "too big to fail. … We need a world in which people know that their rights will be protected by both their domestic and international law." Barring a total breakdown in the talks — which no one really expects — does anyone really think a full agreement can be reached by 31 Jan.? This seems unrealistic, though perhaps a political agreement can be reached; this was recently maintained by the European Data Protection Supervisor (EDPS) Giovanni Buttarelli, who stated a final deal with the appropriate legal basis could take months.
An additional complication to reaching an agreement might stem from the delay in passing the U.S. Judicial Redress Act through the U.S. Congress. This too could be months away.The legislation is also a prerequisite for a law enforcement threat-sharing “umbrella agreement” that U.S. and EU negotiators agreed to last year. The essential position of EU is that if Congress does not pass legislation extending the right to seek legal redress for privacy violations to non-U.S. citizens, the agreement is a no-go.
The next Article 29 meeting is scheduled for the 2 Feb., it will be interesting to see the reactions of the member state regulators to the progress made or lack thereof. Time is ticking on and waiting for no one, and there is much at stake.
If you want to comment on this post, you need to login.