EU Justice Chief Vera Jourova Speaks on Negotiating New Safe Harbor Pact.
The European Union’s highest court last month scotched a 15-year-old international pact known as “Safe Harbor” that allowed U.S. companies to transfer the data of European Union citizens to servers located in the U.S., where Europeans fear the data is vulnerable to U.S. intelligence agencies. That, and the looming threat from European privacy regulators of unleashing stiffer penalties, has tech giants such as Google and Facebook scrambling in one of their most lucrative markets. The European Court of Justice said that data is unprotected when it lands on American soil because U.S. intelligence services can get their hands on it. It has chosen bits over bodies, prioritizing protecting the neutrality of innumerable inanimate Internet bits over protecting peoples’ privacy and personal data.
-EU data transfer pact to require U.S. businesses to report intelligence agency requests for information on European citizens, according to EU Justice Commissioner Vera Jourova. “What we wanted was to have a double check from the side of the companies themselves, which should show us at least the number of cases when the data was used or required from the national authorities,” Jourova said in an interview with The Wall Street Journal published Thursday. Since then, in essence, any European company has a greater responsibility to ensure that data transferred to a US-based service will be secured to European standards. The EU and U.S. have been racing to seal a deal on a new data-transfer framework that meets the court’s requirements but clarity for European officials over the extent to which U.S. national security services have access to Europeans’ data is still outstanding. Hewlett-Packard executive Ansgar Baums, for instance, put the chances of a new agreement at “zero.” At issue: The challenge of reconciling two very different approaches to consumer privacy. The EU high court struck down the 15-year-old agreement last month over concerns that, because of U.S. surveillance practices, American companies could not be seen as adequately protecting private information.
U.S. tech companies say a growing encroachment on how data can be handled in the EU could lead to fewer free services and new features here.. “This is a real big risk for the business model of any (information technology) company,” says Christian Flisek, a representative in the German parliament’s ongoing probe of the U.S. Government largely ignored and did little to mitigate the profound damage to transatlantic trust from the Edward Snowden NSA spying revelations in 2013.
Vera Jourova: Given the sense of urgency, which both [sides] understand — it’s high time and …very useful and necessary that we meet on the highest possible level. Its main priority was not restoring a relationship of trust or showing a newfound respect for Europeans’ privacy, but it was pushing the EU to accept America’s net neutrality industrial policy as their own. Dieter Janecek, a member of Germany’s Alliance 90/The Green Party, is even more blunt about America’s track record on strict privacy laws. “There is none,” he said from German Parliament in Berlin. Some critics have called the proposed deal one-sided, noting that EU companies handling American data are not required to provide the same information to the United States. Data collection and online privacy aren’t the only landmines in the fraught dealings between European regulators and the biggest players in U.S. tech.
Making this privacy situation much worse over the last two years, global net neutrality champion and serial EU privacy scofflaw, Google, has been systematically refusing to comply with several EU Member States’ privacy directives to allow Europeans their right to opt out of Google’s collection of their private data. The EU also wants more “qualitative” information included in the report to give European regulators a better idea of why intelligence agencies are requesting the information. “We will also have a list of criteria on the necessity and proportionality of this access and this is something we would like to have better under control,” Jourova said. Facebook said yesterday that government requests for data globally jumped 18 percent in the first half of this year — to 41,214 requests from 35,051 requests in the second half of 2014. Negotiators had tried unsuccessfully for two years to reach an accord. “The decision demonstrates different geographies think very differently about individual privacy, and it’s important for the technology community to understand these nuances,” says Dennis Yang, CEO of online learning marketplace Udemy. ” We have to be sensitive to the treatment of user data in every market.” In a statement, Facebook said the Safe Harbor ruling “is not about Facebook” but “one of the mechanisms that European law provides to enable essential transatlantic data flows.” (The case stems from a complaint brought by a 27-year-old Austrian graduate student, Max Schrems. Schrems’ allegations have been referred back to the Irish DPC and the case continues but, with Facebook denying any wrongdoing, the action may only be remembered for its serious collateral effects.
He claims the online data of Europeans was violated when Facebook allegedly cooperated with the NSA’s PRISM program.) Eric Schmidt, chairman of Google’s parent company, Alphabet, had a sharper reaction. The torpedoing of Safe Harbor has not only sunk a core assurance of panatlantic deals but also blasted a hole in existing and future data storage agreements.
And Penny Pritzker understood very well that there must be a fair approach from both sides and she also understood that we were starting to be very impatient because we need to achieve very tangible results as soon as possible. At the moment there is a grace period which runs out in January, 2016, and the and US authorities are trying to agree a “Safe Harbor 2.0” framework. Government compliance has put enormous pressure on U.S. companies with multinational operations, says Thomas Boue, public policy director at the Business Software Alliance in Brussels. “It is a roll of the dice,” he says. In a world where national security organisations are keen to access information on each other as much as learning about potential terrorist threats, governments are being asked to consider passing laws that delve deeper into personal and private data, labelled by privacy advocates as “Snoopers’ Charters”.
After promising publicly that the FCC would be vigilant in protecting Internet users’ privacy as a reason to justify the FCC’s assertion of “Title II” utility regulatory authority over the Internet to promote net neutrality, the FCC caved under pressure from Big Internet lobbying. In June, the European Commission began to investigate whether Amazon leveraged its market leadership in e-books to make it more difficult for competitors to lower prices. But what we [got from the court decision] was a clear definition of the requirements for an equivalent level of protection. [While in the U.S.] I want to agree again and confirm what [both sides] consider to be agreed a hundred percent and [also find agreement] on what’s remaining to finalize. In rejecting the Consumer Watchdog “Do Not Track” petition, the FCC said: it “has been unequivocal in declaring it has no intent to regulate edge providers,” i.e.
In April, privacy officials in Spain, France and Italy joined a handful of other European nations in investigating whether Facebook gained proper approval from its members when the social network gained access to their online data. What this tells us is the U.S. government’s self-serving, one-sided, Big Internet industrial policy, where “heads” Big Internet wins net neutrality protections and “tails” Big Internet wins on no new privacy obligations, is unlikely to survive the pending U.S. That they potentially allow access to US datacentres at home and abroad has led to European concerns for the security of its own citizens that choose to use US services. When National Security Agency contractor Edward Snowden leaked secret intelligence documents in 2011, revealing PRISM, a program to collect data from Internet companies, Europeans — especially Germans sensitive to state-gathered information — were outraged. “European businesses and individuals are rightfully paranoid about their data,” says Jonathan Huberman, CEO of Syncplicity, a maker of file-sharing technology for large companies.
WSJ: What precise measures are being discussed as to how the U.S. can address the concerns over access to Europeans data by U.S. national intelligence services? He cites the Germans, who are particularly vigilant about privacy after decades of state-sponsored snooping by Communist East Germany’s Stasi security service and, before that, the Nazi government. The crunch is that, under EU law, data-sharing with countries deemed to have lower privacy standards are prohibited without special measures – and this includes the US. He is President of Precursor LLC, an emergent enterprise risk consultancy for Fortune 500 companies, some of which are Google competitors, and Chairman of NetCompetition, a pro-competition e-forum supported by broadband interests. At their onset, US Under Secretary Catherine Novelli stated that agreement would be “just weeks away” but weeks have gone by and talks are still in progress, making a January deadline seem optimistic.
My idea is that we have some further options, which would give us the opportunity to get the information about these accesses to the data from the qualitative point of view. He is also author of “Search & Destroy: Why You Can’t Trust Google Inc.” Cleland has testified before both the Senate and House antitrust subcommittees on Google and also before the relevant House oversight subcommittee on Google’s privacy problems.
In the meantime, companies using, incorporating or reselling any of the 4,400 services that have self-certified under the original Safe Harbor agreement will have to consider their options. In a blog post last month, Brad Smith, the company’s chief legal officer, laid out a four-point plan to solve the “privacy Rubik’s Cube.” The proposal specifically outlines people’s legal rights, the lawful transfer of data between Europe and the U.S., and an agreement between tech companies and governments in Europe and the U.S. over information access. We recognise that it will take them some time for them to do this.” US companies such as Microsoft, Facebook, Amazon, Salesforce and, more recently, NetSuite have opened European datacentres to offset concerns about data sovereignty.
Some American cloud computing companies, meanwhile, have reached out to their European rivals about passing data of their European customers via local competitors that comply with European privacy laws. “You need rules, regulations, for (data) privacy that has a global approach,” says Flisek, who is optimistic a deal can be eventually hammered out. These white, fluffy clouds could be darkened by the outcome of a long-running Microsoft appeal against a US order to hand over emails stored in Ireland. The country, which is in the process of shoveling about $400 million into its “fourth industrial revolution,” or Industry 4.0, is grappling with the potential harmful effects that strict data flow will have on its economy, according to Boue. “Data flows is the backbone of the 21st Century,” Boue says.
Stephen Attree, managing partner and head of corporate and business services at MLP Law, comments: “What does this mean for businesses in terms of storing their data in the future? Some lawyers say that, for one, US laws don’t enshrine citizens’ right to privacy like EU laws do and that could be enough to derail a commission decision in the courts.
It is often seen as normal business practice to turn straight to cloud services provided by Google, Amazon and Microsoft for company intranets and business administration. Analysis also needs to take into account any third parties that may receive personal data as a result of using a US services supplier through “onward transfer” agreements. The only lesson to emerge is the bland one that frameworks of convenience are no substitute for circumspect diligence when it comes to ensuring data security. Generally speaking, those things that remain to be negotiated are the ones that the court emphasized. [The court decision] is really confirmation and justification of our rightly expressed requirements.