Justice Commissioner Vera Jourova told MEPs yesterday (1 February) that one day past the deadline given by EU privacy watchdogs, the European Commission still hasn’t struck a new Safe Harbour data sharing agreement with the US.
Data protection authorities gave the Commission until the end of January to fix a new arrangement to replace the Safe Harbour deal knocked down in October by the European Court of Justice (ECJ). But the Commission is still scrambling to agree on details with the US.
EU officials are trying to strike a deal that will restore commercial data flows between the US and Europe–and hold up in court if it’s challenged again. Over 4,000 companies signed on to use the new defunct Safe Harbour agreement.
“We need an arrangement that is fundamentally different from the old Safe Harbour,” Jourova said during a meeting of the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) Committee yesterday evening.
Jourova told MEPs she would speak to US Secretary of Commerce Penny Pritzker on the phone after the committee meeting.
Over the last few weeks, EU and US officials have been holding increasingly frequent talks over a new deal.
The negotiations have come under pressure from Europe’s powerful national data protection authorities.
Privacy watchdogs from EU member states will meet over the next two days to thrash out their strategy on how to deal with privacy complaints. Companies that transfer large amounts of data from Europe to the US worry that national authorities might take a radical position and restrict transfers if the Commission doesn’t reach a new agreement.
Talks between US and EU officials have faltered over US intelligence agencies’ access to personal data. The ECJ verdict that ruled Safe Harbour invalid blasted mass surveillance in the US as a violation of EU citizens’ fundamental rights.
“I will not hide that these talks have not been easy,” Jourova told MEPs.
Jourova told MEPs yesterday that under a new deal, American access to EU citizens’ data would have to be “limited to what is necessary and proportionate”. Mass surveillance would violate the agreement, Jourova said.
German MEP Birgit Sippel (S&D) questioned those terms. “Access to what’s necessary? I’d be interested to hear who it will be necessary for. For industry? For national governments? For intelligence services?” Sippel asked.
Under the conditions outlined by Jourova, the US security services could still access EU citizens’ data through indiscriminate surveillance if “tailored and targeted access is not technically possible” or authorities detect a “dangerous trend that requires more than targeted access”.
Jourova also emphasised that the new agreement will designate an independent ombudsman in the US federal government who will scrutinise Europeans’ data privacy complaints.
MEPs countered that a new agreement might not even hold US authorities legally accountable if it isn’t joined by a US law guaranteeing increased data protection.
Jourova vowed that for a deal to go through, “we need signatures at the highest possible political level”. Those signatures from top US officials “will be taken by our side as legally binding,” she said.
But some MEPs argued that signatures alone would be too flimsy.
“A year from now there will be a different administration. What will the written assurances be worth if the next administration will be the Trump administration or the Sanders administration?” Dutch MEP Sophie in ‘t Veld (ALDE) asked.
A new data transfer agreement with the US will include a suspension clause, which, according to Jourova, can be drawn on if US officials don’t hold up their end of the deal.
“We don’t have any other choice but to expect continuity. If not, then we will have to suspend the new system,” she said.
Jourova will brief the cabinet of EU commissioners on the state of negotiations in a meeting today. National data protection authorities are expected to announce their position on the pending data transfer deal tomorrow (3 February).
Wim Nauwelaerts, managing partner at law firm Hunton & William in Brussels: “The Commission is under a lot of pressure not only to come up with an arrangement that is set in stone, but also that takes into account all the concerns raised in the Schrems decision. Based on the reactions of the Parliament tonight, it is clear that they want to avoid a Schrems II at all cost.”
Estelle Massé, European policy analyst at NGO Access Now: “For the time being, any deal would not likely resist future legal challenges. Only a few of the privacy and surveillance reforms that are needed to secure an agreement have been implemented.”
Dean Garfield, president and CEO of Washington-based technology lobby group Information Technology Industry Council (ITI): "Given the very complex issues at hand, we understand that the negotiators are continuing their work and are taking some additional time to ensure that they conclude the strongest possible agreement. We encourage negotiators to take the time necessary to secure an agreement that both enhances privacy protections and provides the certainty needed to promote innovation and economic growth.”
The US-EU Safe Harbour agreement allowed over 4,000 companies to transfer data from the EU to the US--provided the companies guaranteed the data's security abroad. EU law considers data privacy protections to be inadequate in the US. In October 2015, the European Court of Justice (ECJ) ruled Safe Harbour to be invalid on grounds that government surveillance in the US threatens the privacy of EU citizens' data, and that there is no judicial redress for EU citizens whose data is accessed by state surveillance agencies in the US.
Since the ECJ decision, EU and US negotiators have sped up their talks to strike a new data transfer agreement. European data protection authorities from the 28 EU member states met after the ECJ decision, and asked the Commission to come up with a new deal by the end of January 2016. The data protection authorities are tasked with investigating and deciding on privacy complaints in their own member states.
- End of January: Deadline given by European data protection authorities for a new EU-US data transfer agreement.
- 2 February: Data protection authorities hold meeting.