Europe to the USA - you're just not trying hard enough on Safe Harbor II
- Summary:
- The Safe Harbor II deadline came and went - and according to the Eurocrats it's in large part because the US needs to try harder. Just how much further can those goalposts move?
The deadline came and it went and the world didn’t end - yet.
But we’re now in uncharted waters for the time being after the Europeans and the Americans failed to come up with a plan for Safe Harbor II.
Now granted it’s a busy week, what with electoral distractions in Iowa and all eyes in Europe on the European Commission’s Brexit-avoiding proposal, but there’s still the problem of a Safe Harbor replacement to be dealt with.
The deadline was the end of January and it was missed, with Europe now constructively ticking off the US for not trying hard enough!
Commissioner for Justice, Consumers and Gender Equality Vĕra Jourová told the European Parliament's Committee on Civil Liberties, Justice and Home Affairs last night that:
Additional effort is needed.
Jourová cited four specific 'must try harder' areas:
- the need for limitations and safeguards as regards access to data by public authorities.
- independent oversight and individual redress in the area of national security.
- resolution of individual complaints about how companies process personal data.
- the need for binding commitments from the US side.
On the need for safeguards around snooping, Jourova says:
Assurances must confirm that there is no indiscriminate mass surveillance and that safeguards for individuals also apply to non-US persons. And let me be very clear, we will need to continue to monitor developments in this area also in the future.We need trust, but we have a duty to check.
On the oversight issue, Europe wants:
a functionally independent body who will answer individual complaints from Europeans if they fear that their personal information has been used in an unlawful way by US authorities in the area of national security. A body that has access to the information from the national security bodies.
That’s a big ask of the US at any time; in an election year, it’s a ludicrous expectation. The Republicans definitely won't buy it and most Democrats won't either. No Presidential candidate will go for this and whoever's on either ticket will have much to gain by taking a tough stand.
Of the election itself, and the reality of a new administration in place in a year’s time, Jourová insists that whoever’s in the Whitehouse next February will have to stick to what his or her predecessor agrees to, or else:
We don’t have another choice other than to expect continuity. If not, then we will have to suspend the system. That is absolutely clear.
Tough talk. I'm impressed. Ahem.
What is actually "absolutely clear" is the unlikely idea that what is acceptable to President Obama will be acceptable to President Clinton or President Sanders, let alone President Trump or President Cruz? Given the latter two openly admit they will tear up Obamacare and marriage equality laws as soon as they can, what chance data protection demands from uppity European bureaucrats?
On complaint resolution, there are various proposals in play, including one that would allow European citizens to go to their national Data Protection Authority, which would then have access to the US Department of Commerce and the Federal Trade Commission to get those complaints answered.
And Jourová wants America to sign in blood on all this so there can be no backing down:
We need commitments by the US that are formal and binding. As this will not be an international agreement, but an exchange of letters, we need signatures at highest political level and publication of the commitments in the Federal Register.
Only the EC is allowed to move the goalposts, it seems. It was ever thus.
What now?
So overall, we’re not much further forward. After over two years of effort and a last-minute drilling-down on detail following the striking down of Safe Harbor by the European Court of Justice last year, it’s stalemate.
In light of the regretable ongoing ‘vow of silence’ from the US cloud majors, it’s being left to smaller firms to voice their concern about what happens next. For example, Mike Weston, CEO of data science consultancy Profusion, calls this a “watershed moment” for the global tech community:
The reality is that the US and Europe have completely different positions on an individual’s right to privacy online. In Europe, with the exception of the UK, the direction of travel has been towards increasing data protection. Whereas, in the US, with the passage of the Cybersecurity Information Sharing Act, the Government’s position is the polar opposite.
Unless there is a huge change in policy on one side of the Atlantic, agreements like Safe Harbor are doomed to failure. It is also worth noting that the US Department of Justice’s(DoJ) case against Microsoft concerning gaining access to information held in a data center in Ireland, is due to be decided soon. If the DoJ is successful, there is a real risk that the breach between the US and EU will become permanent.
For tech businesses and consumers throughout the world, the collapse of the free flow of data across the Atlantic would be a disaster. Costs will go up as companies increase data storage throughout Europe, smaller companies will find it much harder to grow globally, and consequently, innovation will be servery curtailed. The net-result for the man or woman in the street will be more expensive online services and less choice.
So what to do, what to do? Well, don’t panic, is the sound advice from Frank Jennings, Cloud, data & commercial contracts lawyer at Wallace LLP, AKA The Cloud Lawyer. He makes the point that it’s in the interests of the US government to get this stuff sorted as quickly as possible.
As ever, Jennings is keeping a level head here, offering a number of recommendations that everyone with a stakehold around the fate of Safe Harbor should heed:
- Audit your data and what is being transferred.
- Re-evaluate your data security processes.
- Keep some or all of your data in the European Economic Area.
- Implement a data protection policy internally for staff and train them
- Implement contractual safeguards with customers & suppliers
- Be prepared to demonstrate that you (and your customers and suppliers) are compliant.
Meanwhile there will be further news coming out of Brussels later today (2 February) following a gathering of EU Data Protection Authorities. Whether that helps take this forward remains to be seen.
My take
They didn’t cut a deal...as we expected.
It’s America’s fault...as it would be.
The Eurocrats want more...as usual.
Sigh.