Pattys' Pioneers have been tracking the collapse of the Safe Harbor agreement between the EU and the US that has made it illegal to move customer data back and forth between the EU and the U.S. The Safe Harbor Agreement was signed in 2000 and allowed U.S. companies to extract data on European customers under a single provision rather than adhere to the privacy laws in each of the countries in the European Union. Safe Harbor was invalidated in October 2015, by a ruling that essentially said that Facebook cannot guarantee that US government surveillance is not being conducted on European customers' Facebook accounts.

Beware the EU-US "Privacy Shield"; It Won't Hold Up

Pioneer Scott Jordan posted a link to this wonderful story that appeared in Politico on February 5th: The Phone Call that Saved Safe Harbor: How three months, two women and a last-minute intervention brought about the new transatlantic data pact by Zoya Sheftalovich.

Safe Harbor is not yet "saved." What this article describes wonderfully are the last minute diplomatic efforts that took place in late January/early February to keep US companies from being inconvenienced. Here are a few excerpts from the article:

"The breakthrough phone call came in the middle-of-the-night last Tuesday [Feb. 2]. On the line: John Kerry, the U.S. secretary of state, and Frans Timmermans, the first vice-president of the European Commission.

"Negotiations were at a stalemate and running out of time. Officials from the European Union and America could not break through a couple of roadblocks to forge an agreement to give legal cover for companies to transfer data across the Atlantic. The official January 31 deadline had already passed."....

"Two obstacles remained: How would the U.S. guarantee that complaints from Europeans would be investigated? How would the Commission ensure data would not be intercepted indiscriminately as it traveled across the Atlantic?"

"At 4:30 p.m. on Tuesday, February 2, the deal was announced in a triumphant press conference in Strasbourg....."

"But the issue is far from settled."

EU Justice Commissioner Vera Jourova and Vice President Andrus Ansip announce the EU-US Privacy Shield Agreement

What Did the EU & US [Executive Branch] Agree to?

We don't know!

The "agreement" took place as an "Exchange of Letters." The actual agreement has not been made public, nor shared with the Data Protection Authorities who have to approve it in order for it to stand up in European court. The Commissioner spelled out her intent for the safeguards to EU citizens' privacy that must be protected in a speech she gave on February 1, 2016. But it appears that the US Dept. of Commerce and the State Dept., may have used sleight of hand to get the EU to agree to a set of provisions that won't pass muster with the European Court of Justice that annulled the Safe Harbor Act.

As the news emerged on February 3rd, "our man in Paris," Donald Callahan from Duquesne Advisory Services, commented:

• "Something has been announced, but no official documents, just an ambiguous press release (this is the key point) especially since the same words mean different things to the US side and the EU side (convenient)

• The Working group of the 29 National Data Protection Authorities (DPAs) is cautious, but wants more detail by the end of the month 

• Don't forget that the European Commission lost a lot of face when the European Court of Justice stepped in, so it wanted to do something

• Maybe some progress for EU citizens; but none for US citizens

• I personally think that the US administration was doing the best it could, given that it has no possibility of getting a real treaty through congress (so this thing will be an "exchange of letters" for whatever that is worth)"

Donald Callahan pointed us to Max Schrems' tweets. Max Schrems is the Austrian law student who won the court decision against Facebook that invalidated the Safe Harbor provision.

Max is also quoted as saying:

"A couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance.”

And:

“We don’t know the exact legal structure yet, but this could amount to obviously disregarding the Court’s judgment."

According to EDRI (European Digital Rights Association), there actually was no deal. On February 3, 2016, Joe McNamee, of EDRi published "What’s behind the shield? Unspinning the “privacy shield” spin

Here is some of what he had to say:

"Was there a deal?

Actually, there was no deal. The Commission had to announce something on 2 February in order to prevent regulators from starting enforcement action against companies that were (and, today, still are) transferring data illegally to the United States.

Is it strategically wise to announce a deal before discussions have been completed?

For the US, definitely, for the EU, it was strategically disastrous. As the EU has announced a deal, European negotiators have absolutely no leverage in the discussions around the detail of the agreement. Politically, it is impossible for the EU  to reject anything that the US now proposes, because it is politically impossible for the Commission to abandon negotiations after it announced the completion of an agreement.

Are there significant questions to be addressed?

Yes. The US was so sure that it would be able to persuade the EU to capitulate in the negotiations that it adopted the flawed “Cybersecurity Act”. Under that legislation, a provision was adopted under which Internet companies (either voluntarily or under coercion) will be able to secretly share personal data with US authorities – in direct contravention of the ruling of the Court of Justice of the EU.  Similarly, the previously announced but unpublished (see the first bullet point, above) Umbrella Agreement is seriously deficient and needs to be re-negotiated before it can be adopted. The EU now has no leverage to demand this. Finally, the crucial Judicial Redress Act has been amended by the US Senate in a way that means that individuals outside the US can only get redress if their government shares enough data with the US authorities.

Whose dictionary will be used?

A further major problem with the current approach is that the EU and US have different interpretations of the words being used. Under current US practice, collecting all information related to European citizens does not constitute processing of personal data and is targeted. Under current EU practice, such data collection is processing of personal data and is not targeted."

Among the strong criticisms from European privacy advocates, the sense is pretty unanimous that the European Commission caved to the US State Department and to the US and EU Depts. of Commerce--both of which were concerned about the adverse impact of not reaching an agreement by the January 31st deadline.

Response by the European Working Group

Although the European Commission has the authority to approve the final agreement, it is highly likely to be overturned, once again, by the European Court of Justice, unless it has been approved by the Working Group of National Data Protection Authorities. That working group issued a strong response to the press release announcing the EU-US Privacy Shield Letter of Agreement. That document included the following warning [emphasis is ours]:

"The WP29 welcomes the fact of the conclusion of the negotiations between the EU and the U.S. on the introduction of a 'EU-U.S. Privacy Shield', which meets the deadline set by the WP29 in its statement of 16 October. It looks forward to receive the relevant documents in order to know precisely the content and the legal bindingness of the arrangement and to assess whether it can answer the wider concerns raised by Schrems judgment as regards international transfers of personal data.

As it was announced in its statement, the WP29 analysed in the last weeks the robustness of the other transfer tools as regard the reasoning of the Court. Therefore it has been assessing the current legal framework and practices of US intelligence and the conditions under which it allows any unjustified interference to the European right to respect for private life and data protection....

The WP29 has conducted its assessment in light of the European jurisprudence on fundamental rights which sets four essential guarantees for intelligence activities:

1. Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred;

2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;

3. An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;

4. Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.

The WP29 stresses that these four guarantees should be respected whenever personal data are transferred from the EU to the United States and to other third countries, as well as by EU Member States."

Reframing the Broken US/EU Data Protection Agreement as a "Privacy Shield"

How did Safe Harbor 2.0 become "Privacy Shield"? I like the new name. Too bad it's not accurate. The Politico article explains how the new name came about:

[Commissioner Věra] Jourová, [the EU’s Commissioner for Justice, Consumer Protection and Gender Equality] had been canvassing opinion for weeks. The suggestions were always “transatlantic” this or “data protection” that. The commissioner wanted something catchy, that symbolized the added protections she felt the new framework provided.

A week before the deal was finally done, someone (it’s not clear who), suggested “Privacy Shield.” It was fun, Jourová said, Star Wars-y. It sounded impenetrable, strong...."

What Actually Has to Happen?

Here's my take. In order to comply with the provisions of the EU charter, the US government has to be be able to prove that there is no mass surveillance taking place on EU citizens' data. The US government must have a legally binding guarantee that this is the case. The US government has to provide a legal entity with the clout to promptly investigate any claims by European citizens that their privacy has been violated. The results of those investigations must be transparent and trusted.Then the working group of National Data Protection Authorities--the watchdogs for European citizens' privacy--will need to be convinced.

The good news for US and other global citizens is that we may ALL benefit.

What do the Critics Fear?

In an article entitled: Safe Harbor 2.0: Critics Slam US, EU ‘Privacy Shield’ Data Transfer Deal’s Lack Of Details published in the International Business Times on February 3rd and written by Jeff Stone, Stone interviews legal counsel from affected companies: 

“Nothing really changed between yesterday and today,” said Chris Gallagher, senior vice president at Special Counsel, a legal staffing company that operates in 70 countries, and National Director of eQ, the company’s eDiscovery arm. “This was really a play to get the data privacy folks in the EU to give the U.S. more time before enforcement. All it did was extend the gray area we’ve been in for the last month for another two or three months and into early April at the earliest.”

Gallagher spoke Wednesday on a panel at the LegalTech trade show in New York City, where he was joined by Brian Corbin, vice president and assistant general counsel at JPMorgan Chase, and Kenneth Rashbaum, a partner at Barton LLP, who specializes in privacy and cybersecurity. Each participant agreed that the Privacy Shield raises more questions than answers at this point.

The date of implementation, what to expect from the EU approval process, the possible arbitration costs shouldered by U.S. companies and how much power will be given to the U.S. ombudsman overseeing European data complaints are all unclear.

“Business decisions now need to be made with privacy considerations upfront instead of in a reactionary way,” Corbin said, adding that the threat of a devastating data breach will likely convince companies to increase security. “It’s important to consider why this process is happening. Privacy is viewed as a fundamental human right in the EU, much like we might view free speech in the U.S.”

What Edward Snowden Thinks

Edward Snowden is following this initiative carefully. He realizes that what's at stake is the desire of European citizens not to have their data and communications monitored by the US National Security Agency. Snowden was among those who immediately criticized the "deal." Snowden retweeted this comment from the German Member of Parliament, Jan Peter Albrecht: "This is just a joke. EU Commission sells out EU fundamental rights and puts itself at risk to be lectured by the CJEU again." [Court of Justice of the European Union]

Snowden added his own Tweet: "It's not a 'Privacy Shield.' It's an accountability shield. Never seen a policy agreement so universally criticized."

What Companies Should Do Until the EU-US "Privacy Shield" is Implemented (or Not)

Be very careful about moving ANY customer data from a European country to the US and vice versa. Here's some legal advice posted by Crowell Moring, a Washington D.C. US law firm:

"Individual EU Member State DPAs remain free to carry out investigations and enforcement actions against companies that have not put in place transfer mechanisms apart from the invalidated U.S.-EU Safe Harbor Framework (Safe Harbor), particularly when the DPAs receive individual complaints from EU citizens. Relying solely on Safe Harbor certification for EU-U.S. data transfers would "clearly be illegal" as a result of the judgment of the European Court of Justice (ECJ) on Safe Harbor, according to Falque-Pierrotin.

"As a result, U.S. companies that were previously relying solely on Safe Harbor for their EU-U.S. data transfers are expected to implement non-Safe Harbor transfer mechanisms unless and until the Privacy Shield is implemented and the company has certified to it. This is a critical interim requirement, particularly with regard to transfers from those EU Member States whose DPAs have been critical of EU-U.S. data flows generally."

The remaining legitimate transfer mechanisms are:

1. EU-approved model contract clauses.

2. Binding Corporate Rules (for intra-company transfers only).

"Certain other specific derogations that companies could rely on include:

• Informed consent of the data subject (though this may not be possible for human resources or other data relating to employees);

• Performance of a contract (limited to circumstances such as booking a hotel in the U.S. where personal information must be provided to the U.S. entity to fulfill the contract).

• Important public interest grounds (cooperation between authorities regarding fraud or cartel investigations).

• The vital interest of the data subject (urgent life or death situations)."

Our Take?

You can't count on this agreement holding up in European court. If you have customers in the EU, you should house their data there. You should not plan to house European customers' data in a non-EU-hosted cloud or data center. You should not transfer customer data back and forth between the EU and the US.