Thanks to revelations about government spying, a revamped version of a 15-year-old agreement governing the exchange of personal data between EU and the U.S. still seems a long way off, threatening the ability of American companies to do business in Europe.
The E.U. Safe Harbor framework is a set of standards for protecting the privacy of EU residents when their data is transmitted to the U.S. It contains policy directives that must be taken into account in order for companies like Google, Facebook, Microsoft and thousands of small companies in all sorts of businesses to process data in the U.S. from EU citizens.
However, the revelations by Edward Snowden about U.S. National Security Agency spying have shaken European confidence about data exchanges between the EU and the U.S. In November last year, about five months after Snowden's leaks appeared in the press, the European Commission sent a list of 13 demands to the U.S., basically saying: This is what we need you to do to keep the Safe Harbor agreement in place.
It asked the U.S. authorities to identify remedies by this summer. But so far, a deal is not in sight. That, at least, is the story that emerged this week at the Europe Data Protection Congress in Brussels. At the conference, organized by the International Association of Privacy Professionals (IAPP), attendees were given an update on negotiations on the Safe Harbor agreement by EU and U.S. officials.
Last month, U.S. lawmakers were reminded that they need to address European concerns when Andrus Ansip, the new vice president of the European Commission responsible for the Digital Single Market, said that he was willing to suspend the Safe Harbor agreement if that does not happen.
While 11 of the 13 demands have been sorted out, two are still being negotiated, said Ted Dean, deputy assistant secretary at the U.S. Department of Commerce (DOC), during the conference. The two remaining points of discussion involve national security, said Dean, who added that as his department is not the lead agency on this, he could say little on the subject.
However, of the two remaining issues, the most important is a requirement for the U.S. to only use the national security exception in the Safe Harbor agreement "to an extent that is strictly necessary or proportionate," according to Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Party (WP29), which represents European data protection authorities and advises the European Commission on Safe Harbor issues. Perhaps most importantly, European officials do not want the security exception to be used for mass surveillance of European citizens.
Aside from the ongoing slog of negotiations, U.S. and EU officials agreed that the Safe Harbor agreement is one of the most important legal-policy compliance tools between the two continents.
"These are every challenging issues," Dean said. "I have heard folks when I have been in Europe say things that to U.S. ears sound a little bit like: 'You Americans just don't understand privacy'. And I've heard things being said in the United States that I think to European ears sounds a bit like: 'We live in a dangerous world and you just don't get it'. Neither one of those characterizations is true."
The DOC wants to keep the Safe Harbor agreement in place to make sure all of the approximately 3,800 companies that signed up for it can continue to do business in Europe.
His wish to keep the agreement alive was backed by Julie Brill , a commissioner at the U.S. Federal Trade Commission (FTC), which has been acting as an enforcement authority for the Safe Harbor deal.
"I think Safe Harbor is a deeply important tool for consumer protection and privacy," she said.
She also vowed that the FTC will use the tool to bring enforcement action against companies, including Facebook or Google, if appropriate. "So I have said, please don't take it away from me. As a law enforcement official, I do not want any tools taken away," she said.
Having listened to the views of the conference attendees, Henriette Tielemans, a Brussels-based data protection lawyer who is also an IAPP board member, said: "I take from that there is hope. There seems to be a very great determination on both sides to make this happen. But there is still a long way to go."
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com