In what at first appears to be an outbreak of common sense, it looks like Europe won’t be scrapping the Safe Harbor deal with the US just yet, despite what has seemed to be the best efforts of many at the top of the European Commission.
But no-one should relax just yet as the Commission yesterday presented the US with a list of demands that seem unlikely to do much to improve European/US relations.
In the wake of the NSA PRISM spying scandal, the likes of Commission vice president Vivian Reding have openly questioned whether the bi-lateral Safe Harbor agreement is actually safe at all.
Up to a point, she may be right. The scheme is purely voluntary.
To comply with it, US firms have to sign up to a set of rules that are intended to protect the data privacy of European Union customers. They then get to stick a logo on their web sites to show that they’ve done this.
The whole thing is supposedly policed by the US Department of Commerce and the US Federal Trade Commission, but there are those who suggest that there are many, many US firms who aren’t falling under their scrutiny.
In the febrile climate following the PRISM revelations, Reding has been highly vocal in pushing for a tougher regime, right up until yesterday when she was declaring:
“Massive spying on our citizens, companies and leaders is unacceptable. Citizens on both sides of the Atlantic need to be reassured that their data is protected and companies need to know existing agreements are respected and enforced.”
Her message now is that it’s time for the US to put its house in order:
“There is now a window of opportunity to rebuild trust which we expect our American partners to use, notably by working with determination towards a swift conclusion of the negotiations on an EU-U.S. data protection ‘umbrella’ agreement.
“Such an agreement has to give European citizens concrete and enforceable rights, notably the right to judicial redress in the U.S. whenever their personal data are being processed in the US.”
In its Communication the Commission states:
The reach of these surveillance programmes, combined with the unequal treatment of EU citizens, brings into question the level of protection afforded by the Safe Harbour arrangement.
The personal data of EU citizens sent to the US under the Safe Harbour may be accessed and further processed by US authorities in a way incompatible with the grounds on which the data was originally collected in the EU and the purposes for which it was transferred to the US.
A majority of the US internet companies that appear to be more directly concerned by these programmes are certified under the Safe Harbour scheme.
Pay attention to our demands
So what is it that Europe wants the US to do? There are six main action points on the agenda:
- EU demand: Swift adoption of the EU’s data protection reform.
- Likely US reaction: Given that the UK, Ireland and other EU nations aren’t happy with the way these proposed reforms are shaping up, only a committed 'grand project' Eurocrat could seriously expect the Americans just to go along with this.
- EU demand: Introduce 13 changes to the Safe Harbor scheme by the middle of next year, at which time the Commission will come to its conclusion about whether to leave the arrangement in place.
- Likely US reaction: OK, this might be possible, but will the US authorities appreciate being bossed around to a deadline, especially with the implicit threat that if Europe doesn’t get to set the rules then it will take its ball away? Actually scrap implicit. It’s a pretty damned explicit threat, tantamount to blackmail. (You can read the 13 required changes here if you have the patience.)
- EU demand: Strengthen data protection safeguards for law enforcement
- Likely US reaction: Frankly it’s just unclear what this would involve.
- EU demand: Commit to a legal framework between the EU-US to obtain data which would mean that US authorities could not ask companies directly for data.
- Likely US reaction: Will be seen as the Commission trying to insert itself between the US authorities and third parties .
- EU demand: Addressing European concerns in the on-going US security reform process.
- Likely US reaction: Let Europe poke its nose into internal US political policy making? Let’s see, how’s that one going to down in Washington, do we think?
- EU Demand: The US needs to sign up to follow the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”).
- Likely US reaction: Oh, you get the idea by now...
Just in case you don’t get the message that Europe's going to be setting the rules here, there’s also confirmation that there's no prospect of the Commission allowing data protection matters to become part of the on-going negotiations for a Transatlantic Trade and Investment Partnership.
The Commision's communication concludes:
Areas listed in this communication will require constructive engagement from both sides of the Atlantic.
Together, as strategic partners, the EU and the US have the ability to overcome the current tensions in the transatlantic relationship and rebuild trust in EU-US data flows.
Nice sentiment, but...
The Home Affairs Commissioner Cecilia Malmstrom this week called the NSA:
“an uncontrollable monster.”
Maybe she’s right. Certainly it’s behaved in an appalling manner.
But I’m very tired of the ‘holier than thou’ posturing by European nations whose own security services have been up to exactly the same sort of tricks for years.
The NSA got caught. There but for the grace of Snowden go others.
Malmstrom said yesterday:
“EU citizens' trust has been shaken by the Snowden case and that serious concerns still remain following the revelations of widespread US illegal access to personal data.
“A trust-building process will only work if the US will agree to put in place the necessary legal frameworks to define in details what can be done, and under which guarantees.”
In other words, it’s up to you Obama. Put your house in order or we’ll….do something!
I can’t help but feel that the Washington establishment isn’t going to warm to such a blunt list of demands and deadlines.
Clearly something needs to be done about what is a wholly unsatisfactory situation and clearly there needs to be a shift in the US stance.
But the hectoring tone coming out of the European Commission isn’t conducive to getting a mutually satisfactory agreement in place.