As Deadline for Safe Harbor 2.0 Deal Nears, Privacy Chiefs Prepare Enforcement Approach
Despite a continuing lack of consensus on a new safe harbor agreement, talks between the EU and U.S. are moving quickly, stakeholders said in interviews last week. Those involved are optimistic because there's momentum, said Linklaters (Brussels) privacy and data protection lawyer Tanguy Van Overstraeten. The EU Article 29 Data Protection Working Party (WP) said Oct. 16 if there's no new arrangement with the U.S. by the end of January, and depending on assessment of other data transfer tools, national data protection authorities (DPAs) would take all necessary and appropriate actions, including enforcement, to ensure personal data sent to the U.S. are protected (see 1510160030).
WP meets Feb. 2 to set out a common position on the basis of an analysis focused mainly on the validity of the transfer mechanisms of binding corporate rules and model contract clauses, said a spokeswoman for French privacy watchdog CNIL (Commission nationale de l'informatique and et des libertés). CNIL chairs the WP. It's likely DPAs will now wait until after that meeting to start any enforcement actions, said Van Overstraeten.
DPAs will probably hold off until they have the opportunity to discuss and agree on their approach and the WP issues its statement, said data protection and privacy lawyer Dyann Heward-Mills of Baker & McKenzie (London). The U.K. Information Commissioner's Office has said it won't rush to enforcement, in contrast to statements from some other DPAs, she said.
The U.S. has taken some steps toward aligning its privacy environment with European Commission wishes, Van Overstraeten said. The House passed the 2015 Judicial Redress Act to allow Europeans to seek redress when their personal data is misused, although with the presidential election looming, Senate approval may not come as quickly as needed, he said. The FTC has shown more interest in enforcement since even before the Oct. 6 European Court of Justice (ECJ) ruling in Schrems (see 1510060001), said Van Overstraeten. The EC is clearly pushing hard for a concrete solution such as a safe harbor 2.0, but whatever solution emerges will have implications for binding corporate rules, model contract clauses and other transfer mechanisms, he said.
"As negotiations are ongoing, this is not the time to discuss in any detail what the difference[s] might be in a new arrangement," an EC spokeswoman said. She pointed to comments by EU Justice, Consumers and Gender Equality Commissioner Vera Jourová at a December news-media briefing that "there is nothing new" on safe harbor. The EC is still negotiating commercial aspects with U.S. trade officials and national security bodies, the commissioner said. On surveillance and security, she said, "We still require guarantees from the U.S. that necessity and proportionality will be applied to requests for data from companies under the possible future safe harbour system. We also require transparency, which can be difficult with secret services." Informing the EC about the number and nature of requests without breaching anything connected with the secret character of national security bodies' work and data requests is an issue, Jourová said. "We are still negotiating and discussions are very intense. I see the end of January deadline as realistic."
The sticking point in safe harbor talks concerns what standard the U.S. will be held to for assessing its surveillance rules, Heward-Mills said. Although worries about U.S. spying were a central theme in Schrems, the ECJ didn't address how the U.S. approach compares with that of Europe, she said.
If the U.S. is held to a higher standard than EU countries on surveillance and access to information, then U.S. authorities "may have challenges to safely pass the test," Heward-Mills said. If, however, the U.S. is held to a standard equivalent to EU nations' on access to data for national security purposes, there's an opportunity for agreement, she said. Given the unlikelihood that the Judicial Redress Act will be enacted and U.S. surveillance laws updated before month's end, there would have to be some other solution to meet the "aggressive timeline" for a new safe harbor, she said. And given the sensitive nature of the issue, any EC approval for a safe harbor 2.0 would have to come after consultation with the European Parliament, the Council and the WP, which would also take time, she said.
The private sector voiced several concerns in meetings with the WP, Van Overstraeten said. Two are that regulators not leave companies in legal limbo on data transfers and that any solution be harmonized among EU members, he said. Some in industry believe personal data from EU residents should be stored in the EU rather than the U.S., an idea Van Overstraeten said could be deemed protectionism. Some businesses say encryption could be used as a technical solution for data in transit, but the problem is that once the data are accessed and processed by service providers outside EU borders, encryption is no use, he said.
Several other issues are also under discussion with the WP, another industry lawyer said. One is the idea that companies subject to data requests from U.S. security services be required to report when they've turned over personal data, though it's not clear to what extent U.S. authorities would go along with this, the attorney said. Another possibility is that DPAs might be asked to help support European data subjects in seeking redress for U.S. infringements, the lawyer said.