European Redress, DPAs Could Be Major Issues as Safe Harbor Negotiations Progress
There are a few sticking points to reaching a new safe harbor deal (see 1510250001) on data transfer between the U.S. and EU countries, said a European Commission official and industry lawyers in interviews Tuesday. But they voiced optimism a deal can be reached. They said that sticking points include EC demands that Europeans get the same data protection and redress rights as U.S. citizens and residents. An EC official said that the proposed Judicial Redress Act (HR-1428), which he said the EC largely supports, could address that matter. But he dismissed the suggestion by other experts that national data protection authorities could be an obstacle to approving a revised agreement.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Experts believe the ability for European citizens to address and correct data that may be accessed by U.S. law enforcement and national security agencies is one major sticking point. “We support it,” said the EC official of the Judicial Redress Act. “We want European Union citizens to be treated the same as U.S. citizens and residents in getting access to their personal data.”
Negotiations have been taking place since early 2014 and U.S. government officials, business representatives and privacy advocates have noted the two sides largely agreed in principle to a new framework when the European Court of Justice Oct. 6 ruled the agreement invalid. The ECJ created uncertainty for businesses on both sides of the Atlantic, congressional hearings were told (see 1511030034). More than 4,400 U.S. companies voluntarily use safe harbor, and the transatlantic trade is valued at nearly $1 trillion a year.
"The court ruling confirms what the commission has always said: to have a more credible safe harbor arrangement," said the EC official. "We need to look at arrangement of government access to data.” European Justice Commissioner Věra Jourová, one of the top EC negotiators, will be in Washington Thursday to Nov. 17 for one of her twice-yearly meetings with her counterparts at the Homeland Security and Justice Departments. She is expected to meet with Commerce Secretary Penny Pritzker on revising the safe harbor agreement, and with representatives from the U.S. technology industry.
Wiley Rein's Amy Worlton expects negotiations are focusing on how to provide European citizens with the right to challenge access to their personal data for U.S. law enforcement and national security purposes. She said the Judicial Redress Act might be a way to address some of those concerns since it extends some Privacy Act protections to European citizens. “Legislation like HR-1428 might be helpful and it might be just enough. On its face, it’s not a complete solution,” she said.
But Worlton said multiple U.S. statutes and other types of legal authorities can authorize a U.S. law enforcement or national security agency to collect a European citizen’s personal information located in the U.S., by, for example, compelling a U.S. company to disclose data in its possession. She said a key challenge for U.S. and EU negotiators is to reconcile ECJ concerns about surveillance with the U.S. legal framework that authorizes surveillance in many cases. To protect transatlantic data transfers that are economically critical, negotiators will have to “thread this needle,” she said.
The EC official said he didn’t think that national DPAs were an obstacle to a revised agreement. He said the ECJ ruling said DPAs should get a bigger role in the new arrangement and have more ownership in safe harbor, something they hadn’t had before with the old safe harbor agreement: “The court emphasized how important their role is in the European system, and we have to accommodate that.”
But the European Commission “may lack the legal authority to create a binding deal” because the ECJ ruling stressed the independence of the national regulators, said Alston & Bird's Peter Swire. “And the decision said that the court itself would judge the regulators’ enforcement actions,” he said. “The commission can try to persuade the regulators not to be too aggressive, but I haven’t seen a clear legal basis for the commission to order the regulators not to enforce. It’s not clear the commission can stop the regulators from doing anything or govern the regulators in any legal way.”
Even if a safe harbor 2.0 agreement is reached, European authorities are finalizing a new data protection regulation that would replace a 17-year-old data protection directive, said Swire. This new comprehensive privacy law “would trump” any safe harbor deal, which is only an interim solution until the new regulation, which would take about two years to implement, he said. “These legal facts impact the United States’ negotiating position. The U.S. faces a short term problem that safe harbor has disappeared but the commission cannot give binding assurances in a safe harbor agreement. Any negotiations now are a prelude to ongoing talks about what will apply under the new regulation.”
“We’re in an extended period of uncertainty within Europe,” said Swire. “The privacy hawks want stricter rules than the commission likely supports. American companies are in the crosshairs and face a lot of uncertainty.”