Safe Harbour: D-Day approaches – what to expect?

Talk about the calm before the storm!  The silence is deafening as both Brussels and Washington DC holds its breath days before the February 1st deadline for an agreement on a new Safe Harbor framework.

At the moment both sides of the Atlantic continue to stare hard at each other waiting for the other side to blink. Senior level negotiations occurred behind closed doors during Davos but very little was revealed. The EU is standing firm as Commissioner Jourova said she is clear that ‘when a European’s personal data travels the equivalent protections also need to go with it’. While Penny Pritzker, U.S. Secretary of Commerce said they have a comprehensive offer being refined ‘…that creates what’s called ‘essential equivalents’ which is the standard that needs to be met in order for Safe Harbor to receive what’s called an adequacy determination’.

What we can assume by next Monday is that some sort of agreement will be announced notwithstanding a complete breakdown in negotiations. Which is a possibility.

What would such an agreement look like? Hard to say, but here are some areas that have been discussed. Clarity on the use of legal mechanisms recognized by the High Court in Europe to allow the transfer of data from the EU to the US. In particular, Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR). There has even been discussion on potentially introducing new ‘creative’ mechanisms such as Codes of Conduct and Certification. However, some Data Protection Authorities in Germany have said they will challenge SCCs and BCRs and any new mechanisms would take several years to be develop, accept, and implement.

But what if the negotiations fail? Where does that leave companies that are directly impacted by the absence of Safe Harbor (of which many are European, by the way)?

We would hope that, in absence of an agreement, the European Commission and Data Protection Authorities will provide clarity and specific ways for companies to transfer data overseas. Unfortunately this does not exclude investigations being started by the Data Protection Authorities.  We can hope these authorities will recognize the good faith companies have shown to date. Companies have repeated throughout the process that they do not have the competency to change how US laws are applied but have offered to make unilateral commitments such as providing transparency reports, developing compliance processes, implementing specific technical or organizational measures.

The real test will be that whatever is announced will need to stand up to European Data Protection Authorities. But it will also need to survive another challenge most likely to come from the High Court and the ‘Schrems’ of the world. A perfect acceptable solution will mean a seismic change in US domestic policy to halt its intelligence services and provide assurances that will need to be entrenched somehow in law. This is not likely in the current US political climate which is very sensitive in the run up to the Presidential elections. The current administration will not want to give Republicans more ammunition with an agreement that may be seen to appease the EU in exchange to sacrificing some of its national security. In addition, the EU would need to provide a credible message to the US explaining why it is ok for Member States, like France and the UK, to introduce new mass surveillance laws. The US will be less enthused to hear Brussels’ response that it does not have the competency to issue orders to Member States, especially not to the likes of the UK with Brexit on the horizon.

Unfortunately the only conclusion is that 1 February will not be the end of the painful discussions that will still be needed to ensure data can flow across the Atlantic. We can only hope cooler heads will prevail and factor in the benefits the free flow of trans-Atlantic data can have in bringing prosperity, jobs and important innovation. Maybe wishful thinking on my part.

Ray Pinto