EU Commission announces Safe Harbour 2.0 and a wider Data protection reform

The new EU-US data transfer deal, currently under development, will give the European Union the right to suspend the pact if privacy concerns are raised again, EU Justice Commissioner Věra Jourová said in a statement last week. For the first time, such right is formally guaranteed, and even though the pact is still a draft, the news sounds already like a game changer. Biggest news in place Indeed when more than two months ago the former data agreement between the European Union and the United States – the so-called “Safe Harbour” – was declared not valid, it became clear that the history of data protection between the two blocs would be changing sensibly. “In the new Safe Harbour there will be a suspension clause, saying that under concrete conditions we are going to suspend (it),” Commissioner Jourová said at the 6th Annual European Data Protection and Privacy Conference that took place last Thursday in Brussels. The safe harbour story The Safe Harbour, which was slammed on October 6 by the European Court of Justice because of worries about mass US surveillance practices, was basically making it legal for American firms to handle European citizens’ data if they could demonstrate – through a “self-certification” – that they met Europe’s privacy controls. Since 2000, more than 4,500 US firms have relied on Safe Harbour to go along with the EU Data Protection Directive on the protection and the transfer of personal data from the EU to the US. The two blocs have been negotiating for the past two years over a new agreement to replace Safe Harbour, but the Snowden scandal first and the Schrems’ case thereafter have rapidly changed things. The ECJ ruling Overall, Commissioner Jourová strongly defended the ruling by the European Court of Justice. “The Court ruling reaffirmed the fundamental right to data protection, including where data is transferred outside the EU”, she said. She then spoke about the importance of the economic ties the EU and the US have, and the consequent need of a “more comprehensive framework in place”, to ensure “proper protection and enforcement on both sides of the Atlantic”. “And this is what the Court ruling requires: where personal data travels, the protection has to travel with it”, the Commissioner for Justice underscored. A wider reform But the opening of the Annual European Data Protection and Privacy Conference was not limited to the new Safe Harbour. Indeed Commissioner Věra Jourová’s words last Thursday paved the way towards a wider EU data protection reform, whose aim would be to “strengthen the fundamental rights of individuals” and at the same time to “simplify the regulatory environment for businesses operating in Europe’s single market”. Surely not an easy mission, given the complexity of the matter, and the tight deadline she set: “We hope to reach agreement already within the next two weeks”, she added. Let’s try to see what the possibilities are and how the whole situation with the US looks like, starting from the Commissioner’s remarks on business. “A renewed arrangement will mean robust safeguards for citizens and legal certainty for businesses”, she said. “Businesses”, she continued, “will benefit by saving around 2.3 billion Euros per year only in terms of administrative burden and compliance costs deriving from the current fragmentation of national data protection laws”. For the attendants expecting more on the business side there was not a wider focus unfortunately. An optimistic deadline? All in all, Commissioner Jourová spread wide enthusiasm also towards her American counterparts by saying that she got the impression in Washington that the American side share the same aim and that she hopes “they share our sense of urgency after the judgment”. However, many things are still to be put in shape for such a revolution. Commissioner Jourová, again, maintains that she hopes the deal would be in place “by January”, but this deadline sounds a bit too optimistic right now. Indeed, Ted Dean, a US department of commerce official, who is also part of the US negotiating team, said the January deadline is meaningless. “It is not our goal to be done at the end of January. It is our goal to be done as soon as we possibly can,” he reportedly said. American concerns This happens for many reasons. It’s true for instance that US officials never admitted any violation of the European citizens’ privacy, and refused claims of mass surveillance. Robert Litt, a general counsel in the US office of the director of national intelligence, was quoted as saying that the ECJ basically has no evidence. “The Court did not find that US law and practices in fact did not protect privacy rights”, he reportedly argued. Moreover, there’s still an enormous sense of frustration on the other side of the Atlantic, among the some 4,500 US companies that previously signed up the self-certification regime, post the ECJ ruling. It’s pretty sure that no big collaboration without concessions will eventually come in the end. EU to mitigate risks The EU is now pushing for stronger privacy guarantees from the US negotiators, in order to ensure that a new framework won’t be slammed in the court’s door again, but it seems this won’t happen easily. The US has been historically reluctant to offer broad openings regarding the way American authorities access data for national security purposes, and the whole question seems to be ‘too’ thorny at this moment. Sceptics now warn that in the absence of strong privacy protections, a new Safe Harbour could be found again not valid in court, as it happened to its predecessor. Nevertheless, what would be much needed now is surely a wider reform of privacy laws on both sides of the Atlantic, something that would iron differences and prepare the ground for a long-lasting pact. Then another data privacy pact could come along again. In that scenario the 31st of January rather sounds indeed a bit too optimistic.