Euro privacy warriors: You've got until January to fix safe harbor mess – or we unleash hell
Lawyers to menace Silicon Valley unless peace brokered
Europe's privacy guardians, the Article 29 Working Party, has given the European Commission and US government until the new year to sort out the safe harbor shambles – or Silicon Valley faces a legal showdown.
In a letter published Friday, the working party noted that this month's decision by the European Court of Justice (ECJ) to void the US-EU safe harbor agreement means any personal information sent across the Atlantic is "unlawful". That's bad news for Silicon Valley.
Under European law, people's private information must stay within the Continent's borders. America had a so-called safe harbor pact with Europe, a promise to safeguard citizens' data, but in the wake of revelations about the NSA's mass surveillance of innocent people, the ECJ tore up that pact. That means US tech giants must stop slurping Europeans' personal lives into stateside servers.
The working party warned today: "If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions."
In other words, the politicians have three-and-a-half months to reach a new solution or the lawyers will be set loose.
It also warns that that solution cannot be a fudge and that it expects to see any new framework clearly address the issue of mass surveillance.
A key part of the letter notes:
The Working Party underlines that the question of massive and indiscriminate surveillance is a key element of the Court’s analysis. It recalls that it has consistently stated that such surveillance is incompatible with the EU legal framework and that existing transfer tools are not the solution to this issue.
It goes on: "Furthermore, as already stated, transfers to third countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers."
It then asks for the EC and US government to "find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights," and to do so urgently.
The US government has already made it plain it is bumping up its efforts to reach a new safe harbor agreement – a process that has already been going on for two years. But the Article 29 Working Party notes that it doesn't see that as a silver bullet:
The current negotiations around a new Safe Harbor could be a part of the solution. In any case, these solutions should always be assisted by clear and binding mechanisms and include at least obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights.
The message to reach urgent agreement was also made stated clearly earlier this week by big business in a letter to the European Commission in which industry groups felt they had to "stress the need for this work to continue as a European Commission priority until these matters are appropriately resolved."
The Article 29 Working Party tries to settle obvious concerns that businesses – including the company at the heart of the court case, Facebook – have that they are breaking the law. The letter notes that between now and its deadline, "data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used."
Taken overall, the aggressive and slightly self-important letter should be taken into the context of the wider European political system. Data protection authorities do have the law on their side but are frequently sidelined or ignored by politicians and civil servants.
This has led to a culture of righteous indignation in the Article 29 Working Party, and its letter this week in just one in a long line of angry finger-waving missives. The difference this time is that the European Court of Justice has forced the politicians' hand by declaring the safe harbor framework illegal.
Will the letter's deadline of January 2016 represent a real line in the sand? Yes and no. The EC already knows that it has to reach agreement rapidly and it is most likely already working on the same timeframe; the Working Party just decided to beat its own chest by declaring it so.
In that sense, the letter simply adds to the existing pressure. ®
Sponsored: The Nuts and Bolts of Ransomware in 2016