Fears that some European regulators may go rogue on U.S. firms seen to be negligent on privacy are running high on both sides of the Atlantic as the two governments rush to meet a Tuesday deadline set by the agencies.
Negotiators have only until Feb. 2 to strike a deal ensuring that commercial data transfers between Europe and the U.S. are able to continue after a critical 2000 agreement was struck down over privacy concerns last fall.
{mosads}While both the Department of Commerce and the European Commission have said they are close to reaching an accord by the drop-dead date, those tracking the talks are far less certain that Europe’s various national data protection authorities (DPAs) won’t break ranks and begin sanctioning U.S. firms anyway.
“If there is a Safe Harbor deal done next week it’s a whole new ball game, if the DPAs actually do go after these companies,” an industry source said.
The U.S. and EU have been racing to replace the original Safe Harbor agreement since last year, when a complaint lodged with Ireland’s DPA ultimately led Europe’s high court to find the pact incompatible with European citizens’ fundamental right to privacy.
The decision left businesses scrambling for uncertain alternatives to the invalidated agreement, which had allowed U.S. firms to “self-certify” they met Europe’s more stringent requirements.
Even more significantly, it effectively expanded individual regulators’ authority, allowing them to determine for themselves not only whether a given company is meeting privacy standards, but what those standards are. Now that DPAs have that greater power, a lot them will be looking to use it, observers say — and some countries are considered tougher than others.
But tensions are running high — thanks to a piece of U.S. legislation once expected to help smooth out European concerns — and onlookers worry that some hard-line DPAs could buck whatever consensus the group reaches on Tuesday.
A Senate committee on Thursday advanced a popular bill that would give European citizens the right to challenge misuse of their personal data in U.S. court.
The bill is already a prerequisite to a separate U.S.-EU agreement allowing data-sharing in criminal investigations, and Republicans have now effectively tied the bill to Safe Harbor by negotiating an 11th-hour amendment requiring the countries covered by the bill to permit commercial data transfers with the U.S.
Majority Whip John Cornyn (R-Texas) cast the new language as a way of ensuring that the U.S. was not making “concessions” to the EU on Safe Harbor.
“U.S. companies should not have to endure regulatory threats in an attempt to change our policy or laws. This amendment lays down these important markers,” Cornyn said on Thursday.
The tactic rubbed many in Europe the wrong way, including privacy advocate Max Schrems, the man who effectively brought down Safe Harbor by lodging the original complaint, against Facebook, with the Irish DPA.
“Amendment to Redress act is coupling #SafeHarbor with cooperation on law enforcement. A rather imperialistic move by the US,” Schrems tweeted Thursday.
Some countries’ DPAs have already taken individual action. In Germany, regulators announced an investigation into data transfers from companies such as Google and Facebook immediately following the high court’s decision.
“Anyone who wants to remain untouched by the legal and political implications of the judgment, should in the future consider storing personal data only on servers within the European Union,” Hamburg’s Data Protection Officer Johannes Caspar told the German magazine Der Spiegel.
Germany is seen as one of the toughest nations on privacy in the EU.
Meanwhile, Schrems has since filed several other complaints against Facebook with different countries’ DPAs, including in Germany and Belgium.
Policy experts have warned that the DPAs are unlikely to be satisfied by whatever agreement Commerce and the Commission are able to strike.
“I think you will almost immediately see European data protection agencies attack the revised agreement,” said Marc Rotenberg, president of the digital rights advocate Electronic Privacy Information Center, at a recent hearing held by two subcommittees of the House Energy and Commerce Committee.
Although those following the talks are still hopeful that negotiators will reach a deal by the deadline, the Commerce Department has privately told industry members that there is a possibility that it could fall just short of the goal line.
In that case, onlookers say, the working group would be even more likely to struggle to maintain a uniform approach to enforcement.
“You could have outlier data protection authorities who decide that they’re going to ban transfers wholesale for their geographical area,” Susan Foster, a privacy attorney at Mintz Levin who works in both the EU and the U.S.
“It’s very possible. They’re certainly free to do it.”