Europe narrowly avoided a major disaster for American businesses - for now
At the eleventh hour, EU and US negotiators agreed upon a deal for legitimising the transfer of personal data across the Atlantic, called "Privacy Shield."
The legality of data transfers might sound like an arcane topic, but it's incredibly important. Thousands of companies need to send personal data between the EU and the US on a daily basis - ranging from social networks' user data to information on employees and clients.
If companies don't have the right legal mechanisms in place, these transfers can be legally challenged - subjecting them to potentially onerous litigation from individuals and national regulators.
Negotiators have put together a deal just in time - but there's likely more drama to come.
The end of Safe Harbor
For the last fifteen years, companies have relied on "Safe Harbor," the outcome of a 2000 European Commission decision, to legitimise the sending of Europeans' data to the States.
But in October 2015, The European Court of Justice (ECJ) invalidated Safe Harbor - plunging the thousands of companies that were relying into legal limbo. Were they now breaking data protection law by sending Europeans' data to the US? Were data regulators about to start prosecuting them?
The ECJ's decision was the result of legal action by Max Schrems, an Austrian privacy campaigner. Schrems had tried to suspend the transfer of Facebook user data to the US on the grounds that American mass surveillance violated Europeans' rights, and that the social network couldn't offer adequate safeguards. The Irish regulator rejected Schrems case on the grounds that its hands were tied by Safe Harbor - so he appealed to the ECJ, which threw out the legal mechanism altogether.There are alternative ways to legitimise data transfers - but Safe Harbor was by far the most straight-forward.
Negotiations for a replacement to Safe Harbor had already been underway for years. But with its annulment, they took on a new urgency. The Article 29 Working Party - a group comprised of the heads of Europe's various national data regulators - agreed on a three-month grace period for negotiators to finalise safe Harbor 2.0, during which time they wouldn't take action against companies.
Negotiations came right down to the wire
That deadline came at midnight on January 31, 2016 - and negotiators didn't have a finalised deal.
This meant they were now racing against a new deadline: On February 2 and 3, the Article 29 Working Party met, and the only topic of discussion was Safe Harbor. It had previously said that if no agreement is reached, it would "take all necessary and appropriate actions, which may include coordinated enforcement actions."
High-profile American companies would likely be first in the firing line, privacy lawyer Susan Foster from law firm Susan Foster Mintz Levin told Business Insider. "I think we are likely to see a few high-profile investigations pretty quickly. However, data protection authorities don't have unlimited resources, so initial investigations will probably be driven either by complaints from individuals ... or other large targets that will generate a lot of publicity in return for a relatively small investment in enforcement funds."But at 4.30 PM (CET) on February 2, the European Commission made an announcement: It had a deal.
Negotiators had worked night and day, European commissioner Vera Jourová said. The result is Privacy Shield - a "new framework for transatlantic data flows protects the fundamental rights of European and provides legal certainty for businesses."
This isn't the end
So is this all done and dusted? Not quite.
For starters, the Article 29 Working Party is reserving judgement until it sees the full text of the Privacy Shield deal - something which has yet to be fully hammered out. In a statement, the group says it "looks forward to receive the relevant documents in order to know precisely the content and the legal bindingness of the arrangement and to assess whether it can answer the wider concerns raised by Schrems judgment as regards international transfers of personal data."
The European Commission doesn't technically need the Working Party's approval for Privacy Shield. But if the group finds it wanting, it means fresh legal challenges will be all the more likely.
The Working Group has been evaluating the alternative mechanisms for data transfers - like pre-written "model clauses" that businesses can slot into contracts. It's holding off on this until it has the full text of the full arrangement, which it is asking for by the end of February."The WP29 will then be in position to complete its assessment for all personal data transfers to the U.S. at an extraordinary plenary meeting that will be organized in the coming weeks," it says.
"After this period, the WP29 will consider whether transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, can still be used for personal data transfers to the U.S. In the meantime, the WP29 considers that this is still the case for existing transfer mechanisms."
In short: Alternative data transfer mechanisms are fine, for now. But the group may yet consider them unlawful.
Privacy Shield might end up in the courts
The new Privacy Shield is already being criticised in some quarters - notably Max Schrems, whose legal challenge against Safe Harbor sparked this whole drama.
"With all due respect, but a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance," Schrems said in a statement. "We don't know the exact legal structure yet, but this could amount to obviously disregarding the Court's judgement."If the US doesn't enact root-and-branch reform of its surveillance regime, privacy activists argue, it's likely that Europeans' rights will continue to violated if their data is stored in America.
"A loose coalition of activists, officials and judges took down the original safe harbour arrangement," Georgetown University professor Abraham Newman wrote in The Financial Times on Tuesday. "There is no reason why they cannot do so a second time."
Schrems says that while "it is clearly too early for a final assessment," he expects there will be legal challenges - and that "depending on the final text I may well be one of them."