+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

Europe narrowly avoided a major disaster for American businesses - for now

Feb 4, 2016, 13:30 IST

Miguel Oliveira of Portugal and rider of the #44 Mahindra Racing Mahindra crashes out during the Moto3 race at the Australian MotoG at Phillip Island Grand Prix Circuit on October 20, 2013 in Phillip Island, Australia.Robert Cianflone/Getty Images

American and European businesses narrowly avoided a disaster this week.

Advertisement

At the eleventh hour, EU and US negotiators agreed upon a deal for legitimising the transfer of personal data across the Atlantic, called "Privacy Shield."

The legality of data transfers might sound like an arcane topic, but it's incredibly important. Thousands of companies need to send personal data between the EU and the US on a daily basis - ranging from social networks' user data to information on employees and clients.

If companies don't have the right legal mechanisms in place, these transfers can be legally challenged - subjecting them to potentially onerous litigation from individuals and national regulators.

Negotiators have put together a deal just in time - but there's likely more drama to come.

Advertisement

The end of Safe Harbor

For the last fifteen years, companies have relied on "Safe Harbor," the outcome of a 2000 European Commission decision, to legitimise the sending of Europeans' data to the States.

But in October 2015, The European Court of Justice (ECJ) invalidated Safe Harbor - plunging the thousands of companies that were relying into legal limbo. Were they now breaking data protection law by sending Europeans' data to the US? Were data regulators about to start prosecuting them?

A general view of the beached cargo ship MS Napoli on Branscombe beach on January 27, 2007 in Branscombe, England. The salvage operation to remove the remaining containers still aboard the vessle is due to begin today.Bruno Vincent/Getty Images

The ECJ's decision was the result of legal action by Max Schrems, an Austrian privacy campaigner. Schrems had tried to suspend the transfer of Facebook user data to the US on the grounds that American mass surveillance violated Europeans' rights, and that the social network couldn't offer adequate safeguards. The Irish regulator rejected Schrems case on the grounds that its hands were tied by Safe Harbor - so he appealed to the ECJ, which threw out the legal mechanism altogether.

There are alternative ways to legitimise data transfers - but Safe Harbor was by far the most straight-forward.

Negotiations for a replacement to Safe Harbor had already been underway for years. But with its annulment, they took on a new urgency. The Article 29 Working Party - a group comprised of the heads of Europe's various national data regulators - agreed on a three-month grace period for negotiators to finalise safe Harbor 2.0, during which time they wouldn't take action against companies.

Advertisement

Negotiations came right down to the wire

That deadline came at midnight on January 31, 2016 - and negotiators didn't have a finalised deal.

This meant they were now racing against a new deadline: On February 2 and 3, the Article 29 Working Party met, and the only topic of discussion was Safe Harbor. It had previously said that if no agreement is reached, it would "take all necessary and appropriate actions, which may include coordinated enforcement actions."

WASHINGTON, DC - SEPTEMBER 18: Facebook CEO Mark Zuckerberg speaks at the Newseum September 18, 2013 in Washington, DC. Zuckerberg participated in an interview with James Bennet, editor in chief of the Atlantic, on 'the knowledge economy', including Zuckerberg's involvement in the immigration debate.Win McNamee/Getty Images

High-profile American companies would likely be first in the firing line, privacy lawyer Susan Foster from law firm Susan Foster Mintz Levin told Business Insider. "I think we are likely to see a few high-profile investigations pretty quickly. However, data protection authorities don't have unlimited resources, so initial investigations will probably be driven either by complaints from individuals ... or other large targets that will generate a lot of publicity in return for a relatively small investment in enforcement funds."

But at 4.30 PM (CET) on February 2, the European Commission made an announcement: It had a deal.

Negotiators had worked night and day, European commissioner Vera Jourová said. The result is Privacy Shield - a "new framework for transatlantic data flows protects the fundamental rights of European and provides legal certainty for businesses."

Advertisement

This isn't the end

So is this all done and dusted? Not quite.

For starters, the Article 29 Working Party is reserving judgement until it sees the full text of the Privacy Shield deal - something which has yet to be fully hammered out. In a statement, the group says it "looks forward to receive the relevant documents in order to know precisely the content and the legal bindingness of the arrangement and to assess whether it can answer the wider concerns raised by Schrems judgment as regards international transfers of personal data."

The European Commission doesn't technically need the Working Party's approval for Privacy Shield. But if the group finds it wanting, it means fresh legal challenges will be all the more likely.

Marvel

The Working Group has been evaluating the alternative mechanisms for data transfers - like pre-written "model clauses" that businesses can slot into contracts. It's holding off on this until it has the full text of the full arrangement, which it is asking for by the end of February.

"The WP29 will then be in position to complete its assessment for all personal data transfers to the U.S. at an extraordinary plenary meeting that will be organized in the coming weeks," it says.

Advertisement

"After this period, the WP29 will consider whether transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, can still be used for personal data transfers to the U.S. In the meantime, the WP29 considers that this is still the case for existing transfer mechanisms."

In short: Alternative data transfer mechanisms are fine, for now. But the group may yet consider them unlawful.

Privacy Shield might end up in the courts

The new Privacy Shield is already being criticised in some quarters - notably Max Schrems, whose legal challenge against Safe Harbor sparked this whole drama.

National Security Agency

"With all due respect, but a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance," Schrems said in a statement. "We don't know the exact legal structure yet, but this could amount to obviously disregarding the Court's judgement."

If the US doesn't enact root-and-branch reform of its surveillance regime, privacy activists argue, it's likely that Europeans' rights will continue to violated if their data is stored in America.

Advertisement

"A loose coalition of activists, officials and judges took down the original safe harbour arrangement," Georgetown University professor Abraham Newman wrote in The Financial Times on Tuesday. "There is no reason why they cannot do so a second time."

Schrems says that while "it is clearly too early for a final assessment," he expects there will be legal challenges - and that "depending on the final text I may well be one of them."

NOW WATCH: Hidden Facebook tricks you need to know

Please enable Javascript to watch this video
You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article