United States and European Commission officials have promised they are doing everything possible to reach agreement over transatlantic data-sharing before a critical deadline at the end of this week.
After the Safe Harbor agreement – put in place in 2000 – was struck down by Europe's highest court back in October due to NSA spying, officials have been scrambling to find a solution or risk causing enormous disruption to US-Europe commerce.
Both sides are desperate to make it work before the January 31 deadline imposed by the Europe's privacy guardians, the Article 29 Working Party, which warned it would "take all necessary and appropriate actions, which may include coordinated enforcement actions" if the deadline was not met.
Under the Safe Harbor agreement, personal and private information on European citizens was allowed to leave the Continent and be stored in America – provided the US respected people's privacy. The revelations of the NSA's blanket surveillance of the internet shattered that trust, and so the agreement was scrapped. That's a big problem for Silicon Valley.
The issue dominated the annual State of the Net conference in Washington DC on Monday and even though officials refused to give precise details over the new agreement, it was clear negotiations will go down to the wire.
One of the negotiators in a new agreement that has been put forward by the US government, Deputy General Counsel of the Department of Commerce, Justin Antonipillai, noted that the deadline of 31 January was on a Sunday, and so the negotiation team views Tuesday, February 2 – the next meeting date of the Article 29 Working Party – as the true deadline.
"We've presented a very strong proposal and foundation to help the [European] Commission react to the findings that have been made," Antonipillai told the policy wonk audience. "But time is not on our side. We are committed to do what we can within limits."
That a senior official would be quibbling over 48 hours for talks that were started two years ago and have been going on intensively for three months is certainly a sign that things are not going well.
The negotiations have been a remarkable battle between an economically dominant US and privacy-respecting Europe.
Also speaking at the conference, the EU's digital economy representative to the US, Andrea Glorioso, pointed to the fact that the European Commission had developed 13 recommendations for changing the Safe Harbor agreement more than two years ago after the extent of US government spying, which included grabbing and storing internet data from such services as Facebook, Google and Twitter, was revealed.
"Following Snowden's revelations and the impact they had on the European public, rather than suspending the arrangement, we said Safe Harbor has to be improved, strengthened," noted Glorioso. "We have been in discussion since October 2013 on those recommendations."
Not one of those recommendations was implemented by the US before the European Court of Justice struck down the agreement. Since October, occasional leaks over the negotiations have repeatedly pointed to intransigence on the part of the US intelligence services as the main stumbling block.
Back in October, EU Justice Commissioner Vera Jourová said that the EC's position was that blanket surveillance of Europeans by the NSA should be subject to judicial review. The intelligence agencies pushed back heavily on that, prompting Dutch justice minister Ard van der Steur to say in December that he didn't think an agreement was going to be possible before the end of January.
That topic was repeatedly referenced by Antonipillai and Glorioso.
"The ECJ judgement required the Commission to look at the framework within the context of US law and with a commitment to work together with how intelligence agencies operate," said Antonipillai. "What was not in the decisions - and this is important - there were no findings about US national security law and no findings about how US law enforcement works."
Antonipillai also noted that the negotiating teams had spent "a lot of time ensuring that citizens have many means to pursue legal remedies" while noting that they had to be careful that companies were "not subject to all 44 DPAs," referring to the independent data protection agencies of the European Union.
Executive decision time
For his part, Glorioso noted there had been no calls for legislative changes in the US and that recent changes – including executive orders issued by President Obama – should provide sufficient "flexibility" for the EC to achieve its main goal: resolution of the 13 recommendations made back in October 2013.
While professing "deep respect" for the US laws and enforcement powers with respect to privacy, Glorioso did note that there nothing to bind the Federal Trade Commission (FTC) to follow up on complaints. "How can we make sure that European citizens are granted their fundamental right to proper judicial redress?" he asked.
The other key aspect, agreed to by both Antonipillai and Glorioso was that there needed to be "clarity" over what access to data is allowed by US law enforcement ad intelligence agencies. "We're on the same page," Glorioso noted.
Both of them also agreed on the importance of a very solid framework that would withstand future legal scrutiny. "It is not in anyone's interest to rush this and have that agreement struck down later," said Glorioso.
Also speaking at the conference was the Austrian law student whose lawsuit resulted in the framework being discarded: Max Schrems. In a question-and-answer session, Schrems said his case against Facebook was not an anti-US case but an anti-mass surveillance issue and he said he would consider suing European companies for also infringing privacy laws.
"In Europe, we have these fundamental rights, but they are not always enforced," he noted.
Meanwhile in an opinion by Geoffrey Robinson QC, seemingly commissioned by Facebook and just published, the renowned human rights lawyer argues that since there is "growing acceptance by governments that bulk collection of data is necessary to deal with Islamic extremist threats" that the protections in place in the United States are "essentially equivalent" to European laws "on a practical level".
Which sounds very much like a legalistic way of saying because everybody's ignoring the law, the law is irrelevant. ®