Talk about a moving target.
The real deadline for negotiators in Europe and the United States to hammer out a new pact to give companies legal protection to transfer data across the Atlantic is not January 31. It might be February 2, or even later.
For businesses, which hate uncertainty, it only adds to the drama, the lobbying and the risks.
For 15 years, businesses relied on a so-called safe harbor agreement to transfer data, everything from family photos to bank account details. On October 6, the European Court of Justice struck the deal down, claiming Europeans may not have adequate protection against surveillance if their data were in the U.S.
Here’s what you need to know about the state of play:
1. The real deadline
After the ECJ ruling, which obliged national data protection authorities to investigate claims from citizens, data protection authorities (DPAs) from the 28 countries in the European Union gave a grace period. They said they would wait until January 31 to start poking around.
They will meet February 2-3 to evaluate how much progress negotiators have made, balancing that with the potential risk to citizens’ data.
Věra Jourová, the EU’s justice commissioner, is set to brief the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs on February 1 at 7 p.m. in Strasbourg, where Parliament is gathering for its voting session. So, ideally, negotiators will wrap up by then.
2. Data transfers are unlikely to be (immediately) suspended
DPAs have the power to suspend data transfers between the EU and U.S. if they don’t comply with EU law. However, the chances of them taking such a drastic measure after their meeting on Wednesday are low.
POLITICO has spoken with a number of DPAs, who requested anonymity because of the sensitivity of negotiations. They said there is a cautious willingness in several countries to give the Commission leeway if a deal appears near.
Two DPAs, however, said some members are concerned about repercussions if they fail to take action soon.
3. Delay = Fear
Already, some companies are seeking alternative arrangements, changing contract terms or, more drastically, moving data storage to Europe from the U.S.
One popular alternative is negotiating a so-called model contract clause. These clauses have language approved by the European Commission.
“In terms of a quick fix, model clauses are probably the most popular mechanism. They can be a relatively quick arrangement to conclude, especially if being agreed within a corporate group,” said Dyann Heward-Mills, a partner with Baker McKenzie lawyers in London.
But model clauses aren’t necessarily the answer. Three DPAs are already investigating complaints from Max Schrems, the Austrian privacy activist whose case against Facebook led to the ECJ ruling.
Meanwhile, Microsoft is already building data centers in Germany. Smaller companies are shopping for cloud storage for data.
“We realized that what Europe wants is for companies to store their data in Europe and never transfer to the U.S.,” said Aytekin Tank, the chief executive of form-building platform JotForm. The company is offering Europeans the option of localized data storage. “We will transfer Europeans’ data to our new servers in Germany and erase the data from the U.S. servers.”
But that comes at a cost. The San Francisco-based company’s server bills have gone up 20 percent. “That is the price of doing business in Europe,” Tank said.
4. Playing chicken with the Judicial Redress Act
On Thursday, the U.S. Senate Justice Committee passed the Judicial Redress Act, which allows EU citizens to file civil actions against some government agencies if their data is unlawfully used or disclosed.
However, Senator John Cornyn proposed an amendment, which was approved, that made the privacy protections in the bill conditional on Europeans signing up to a new safe harbor deal.
That isn’t quite the signal of goodwill the EU was waiting for.
“The amendment made mixes up commercial considerations with the right of access to U.S. courts for EU citizens — a right which U.S. citizens already enjoy in Europe,” said Christian Wigand, the Commission’s spokesperson on safe harbor. “We clearly favor the original version as adopted unanimously by the House.”
5. Handling complaints
Negotiators for the Commission and the U.S. have agreed on the elements to strike a new pact. But the sides still stand apart on how the U.S. will deal with individual complaints about data transfers.
Julie Brill, of the U.S. Federal Trade Commission, said her agency is committed to investigating all complaints from across the Atlantic.
“Law enforcement is our bread and butter,” she said in Brussels this week. “We have always been committed to taking each data protection authority complaint that we receive as a priority.”
In addition, the U.S. has offered an ombudsman to monitor complaints, and several other unspecified mechanisms that would ensure complaints are investigated.
As of Thursday night, that had yet to satisfy the Commission.
“There must be a body which is independent, which has the obligation to resolve individual complaints,” Paul Nemitz, the director for fundamental rights and Union citizenship at the Commission’s Directorate-General for Justice and a key EU negotiator said Thursday. “And, under the rule of law, the authority’s decisions must be subject to judicial review.”
That’s something the FTC, which gets roughly 2 million complaints annually, can’t deliver — it has no legal obligation to investigate each individual issue.
That has left negotiators squabbling over the role the EU’s data protection authorities will play.
6. Concerns about U.S. surveillance
The EU wants firm, legally binding assurances that access to personal data by U.S. law enforcement and security authorities is limited to what is necessary and proportionate.
“We recognize a lot has been done in the U.S. since 2012, 2013,” Bruno Gencarelli, head of the unit for data protection at the Directorate-General for Justice, said. “The facts and legal landscape are different. But you will understand that we need a number of clarifications.”
The U.S. has attempted to mollify the EU, stressing the days of mass surveillance revealed by Edward Snowden are gone.
American negotiators have stressed they have sufficient data protections under old and new privacy laws and mechanisms, including the Fourth Amendment, which deals with unlawful and unreasonable searches and seizures; the Wiretap Act; the Electronic Communications Privacy Act; the Foreign Intelligence Surveillance Act (FISA) and FISA Court; and the Privacy and Civil Liberties Oversight Board.
Perhaps the most significant change in the States has been the introduction of the U.S.A. Freedom Act, which made a U-turn on some of the most invasive elements of the Patriot Act, which was introduced in the wake of the 9/11 terrorist attacks.
The Freedom Act ended bulk collection of telephone metadata in U.S. and provided increased transparency and oversight of the intelligence community.
“It is hard for us to understand how much more transparency is required without rendering the intelligence service ineffective,” Alex Joel, civil liberties protection officer with the U.S. Office of the Director of National Intelligence, said at a briefing in Brussels Friday.
But Commission negotiators aren’t convinced.
“The U.S. insists that the safe harbor text should say all this can be set aside if it is necessary for the national security of the U.S.,” Nemitz said.
7. Closer to a deal
In recent days, Commission negotiators have taken a more positive tone on the chances of a last-minute deal.
“We believe we have made proposals that make a deal feasible,” Gencarelli said. “We are approaching what we hope is the last mile of the negotiation with a constructive spirit.”
Even Nemitz, one of the Commission’s staunchest privacy gatekeepers, seems to be thawing.
“We hope to be able to reach an arrangement that is agreeable to the Commission by Monday,” he said Thursday.
8. What happens next?
Best case scenario: Negotiators reach an agreement in principle by Monday evening. On Tuesday, the College of Commissioners will meet and decide whether the deal is amenable. Also on Tuesday, the Commission negotiators will brief the DPAs. The parties will agree to a grace period for companies. How long they’ll get is unknown, but Nemitz said it would be between a few months and a year.
Worst case scenario: Not enough progress. The DPAs stop the clock and start investigating complaints.