It has been nearly two months since the Schrem’s decision resulted in the end of Safe-Harbor 1.0 and as of yet, no clear resolution is in sight. Unfortunately, this has left a large legal vacuum for those companies who rely upon private data exchange between the EU and US. With more than $1 trillion in trade annually, it’s somewhat stunning that the EU and US cannot seem to come to any sort of agreement since my last article on Safe Harbor 1.0.
US/EU Posture Update
On the face, both EU and US appear to be verbally committed to finding a resolution to the Safe Harbor debate, but neither side seems overly willing to compromise and take steps towards an agreement.
On one hand, the EU has consistently called for bilateral efforts, a broadening of the privacy framework understanding, and a general sense of encouragement across the pond to find a path forward. The US, on the other hand, still has the following statement up on the official Safe Harbor website, hosted by the Department of Commerce:
In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework. If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel.
Despite the seeming recalcitrance of this statement, there are parties within the US government working towards bridging the gap with the EU. There are a variety of reports that President Obama, Vice-President Biden, and EU Chief Executive Juncker are all on the same page about working towards establishing Safe Harbor 2.0.
Where We Stand Today
Contrary to the clear support from Juncker’s office, several Data Protection Authorities (“DPAs”) have made strong statements against the US and seem to oppose any cooperation or compromise. Add to that sentiment the recent statements by the Dutch Justice Minister that negotiations will not be completed anytime soon, and the 2016 prospects are grim.
On top of that, country specific DPAs are rattling their sabers at US companies, with some fines already being levied. At the root of these proactive measures is Facebook, the company that prompted the Schrems decision to begin with. At the forefront of these efforts is Belguim, who levied huge fines of $250,000 EU per day, a decision that is currently being appealed.
Much to the dismay of Facebook, Schrems’ efforts have not come to an end, as he filed two actions against Facebook in the past few days.
Root of the Issue and Moving Forward
After two months of diplomacy without progress, it has become clear there are two core issues of contention: US data acquisition in the name of national security and the lack of any comprehensive US data protection law.
This particular sticking point appears to be quite the sticky wicket, but in reality it is a surmountable obstacle. The EU and US already cooperate on a tremendous number of national security issues, but need the framework in place for when the US want to view the data of an EU citizen. The real challenge here is twofold.
First, Juncker must ensure full DPA approval of whatever plan goes into place. Second, President Obama must wrangle some flexibility out of congress and get some time of data protection law passed, even if it solely addresses the EU. While these two tasks are certainly achievable, given the sheer number of ministers, congressmen, and functionaries involved, herding cats may be too generous of a metaphor.
National Data Protection Law
This issue is by far the greater hurdle to overcome. Contrary to its progressive counterparts, the US has resolutely stuck by sector-based privacy laws that tackle one issue, i.e. HIPAA. To date, every comprehensive data privacy law has fallen flat, often in the name of national security (ironic).
Odds are, the workable solution is to solve the national security issue through the resolution of the above obstacle, and work to segregate EU and US data. Otherwise, waiting on a joint DPA/US congressional effort to negotiate data privacy for Safe Harbor 2.0 could take years, if ever.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock