Safe Harbor 2.0: US-Europe talks on privacy go down to the wire
End-of-month deadline looms for vital data sharing pact
United States and European Commission officials have promised they are doing everything possible to reach agreement over transatlantic data-sharing before a critical deadline at the end of this week.
After the Safe Harbor agreement – put in place in 2000 – was struck down by Europe's highest court back in October due to NSA spying, officials have been scrambling to find a solution or risk causing enormous disruption to US-Europe commerce.
Both sides are desperate to make it work before the January 31 deadline imposed by the Europe's privacy guardians, the Article 29 Working Party, which warned it would "take all necessary and appropriate actions, which may include coordinated enforcement actions" if the deadline was not met.
Under the Safe Harbor agreement, personal and private information on European citizens was allowed to leave the Continent and be stored in America – provided the US respected people's privacy. The revelations of the NSA's blanket surveillance of the internet shattered that trust, and so the agreement was scrapped. That's a big problem for Silicon Valley.
The issue dominated the annual State of the Net conference in Washington DC on Monday and even though officials refused to give precise details over the new agreement, it was clear negotiations will go down to the wire.
One of the negotiators in a new agreement that has been put forward by the US government, Deputy General Counsel of the Department of Commerce, Justin Antonipillai, noted that the deadline of 31 January was on a Sunday, and so the negotiation team views Tuesday, February 2 – the next meeting date of the Article 29 Working Party – as the true deadline.
"We've presented a very strong proposal and foundation to help the [European] Commission react to the findings that have been made," Antonipillai told the policy wonk audience. "But time is not on our side. We are committed to do what we can within limits."
That a senior official would be quibbling over 48 hours for talks that were started two years ago and have been going on intensively for three months is certainly a sign that things are not going well.
The negotiations have been a remarkable battle between an economically dominant US and privacy-respecting Europe.
Also speaking at the conference, the EU's digital economy representative to the US, Andrea Glorioso, pointed to the fact that the European Commission had developed 13 recommendations for changing the Safe Harbor agreement more than two years ago after the extent of US government spying, which included grabbing and storing internet data from such services as Facebook, Google and Twitter, was revealed.
"Following Snowden's revelations and the impact they had on the European public, rather than suspending the arrangement, we said Safe Harbor has to be improved, strengthened," noted Glorioso. "We have been in discussion since October 2013 on those recommendations."
Not one of those recommendations was implemented by the US before the European Court of Justice struck down the agreement. Since October, occasional leaks over the negotiations have repeatedly pointed to intransigence on the part of the US intelligence services as the main stumbling block.
Back in October, EU Justice Commissioner Vera Jourová said that the EC's position was that blanket surveillance of Europeans by the NSA should be subject to judicial review. The intelligence agencies pushed back heavily on that, prompting Dutch justice minister Ard van der Steur to say in December that he didn't think an agreement was going to be possible before the end of January.
That topic was repeatedly referenced by Antonipillai and Glorioso.
"The ECJ judgement required the Commission to look at the framework within the context of US law and with a commitment to work together with how intelligence agencies operate," said Antonipillai. "What was not in the decisions - and this is important - there were no findings about US national security law and no findings about how US law enforcement works."
Antonipillai also noted that the negotiating teams had spent "a lot of time ensuring that citizens have many means to pursue legal remedies" while noting that they had to be careful that companies were "not subject to all 44 DPAs," referring to the independent data protection agencies of the European Union.
Sponsored: Becoming a Pragmatic Security Leader