US and EC (European Commission) officials have until the end of the day today to reach a new Safe Harbor agreement or risk a breakdown of transatlantic e-commerce.
Despite furious efforts over three months and, for the past few weeks, daily meetings between officials, the two sides are still reportedly at loggerheads over two issues:
A clear explanation over what access US security services have to data sent from Europe.
How European citizens can sue if they believe their data has been mishandled.
Both issues were flagged more than a week ago, and despite officials being tight-lipped about negotiations, the impending deadline has resulted in a number of leaks about what is being proposed.
US officials claim to have given a thorough and clear rundown of what rules the US security services (including the NSA) operate under, and what access they have to data under what specific circumstances.
European officials, however, continue to have questions over that explanation, especially how the US government chooses to define the term “exceptional circumstances” – a phrase that would appear to still grant the NSA the right to carry out mass surveillance.
As for providing European citizens with a right to judicial review, the US has reportedly suggested the creation of an ombudsman to deal with complaints and information requests from individuals. The ombudsman would be based in the State Department – as opposed to Commerce or another arm.
That approach will be made possible by the last-minute approval of the Judicial Redress Act, which is currently waiting on a Senate vote.
European officials are unsure whether that arrangement would provide real accountability or is just a sop to get the deal done. Their proposal is to let European data protection authorities investigate complaints.
While the US has previously had a lot of success with this approach – playing hardball but making sure it remains in overall control of everything – the negotiations are a little different this time around.
Since the Safe Harbor agreement was struck down by a ruling of the European Court of Justice, EC officials are obliged to make sure the ECJ’s concerns are dealt with adequately. Diplomatic fudges and creative ambiguity are in limited supply. In addition, a failure to reach agreement would disproportionately impact US businesses such as Facebook and Google, putting US negotiators in a tough spot.
That said, the deadline remains in one sense arbitrary. It was set by the Article 29 Working Party as a way to force the two sides to reach agreement, after three years of making little progress.
A key US negotiator even pegged the deadline not as January 31, but to the next meeting of the Working Party on Tuesday, February 2. Even if agreement were reached in time, it would still take several months for it to be approved and enacted.
If agreement is not reached, it falls to the Article 29 Working Party to decide what to do. It has previously warned if there is no agreement that it would “take all necessary and appropriate actions, which may include coordinated enforcement actions.”
But quite what those actions would be and how they would be enforced is uncertain. It’s certainly something that both US and EC officials – and businesses on both sides of the Atlantic – want to avoid.
Some companies have claimed that changes to their terms and conditions have the same sort of legal protection that the Safe Harbor agreement provided. But it is likely that the Article 29 Working Party will simply disagree with that claim, putting companies in the position of having to decide whether to halt transatlantic data transfers or continue on as usual and risk facing legal challenges.
What does happen will be decided in the next 24 hours. ®
Building secure multi-factor authentication