 |
The overall feeling in Brussels amongst the intelligentsia? A total capitulation by the EU on the basis of politics. Said one insider: “look, we had to. The EU and US are finding that their economies are increasingly intertwined. This creates new challenges, as both discover that their jurisdictions now also overlap on the internet. Data has to flow”.
One telling point for me today: neither Paul Nemitz, the EU’s chief negotiator, nor his deputy was at the announcement. (I subsequently learned that Nemitz had a death in the family this morning and had to exit Brussels). Nemitz was most tenacious negotiator is insisting:
1. the Commission have a clear explanation over what access U.S. security services have to data sent from Europe
2. that European citizens could sue in U.S. courts if they believed their data has been mishandled
Both issues were flagged more than a week ago, and leaks abounded on what each side had proposed. And they were “intractable issues”.
Today, both issues were “resolved” via:
(1) the U.S. director of national intelligence will personally sign a pledge that the U.S. government will avoid “indiscriminate mass surveillance” of EU citizens when their information is sent from Europe to the US. As one wag noted tonight “And as Prime Minister Neville Chamberlain exited his plane, clutching a letter …”
(2) EU citizens will be able to complain to an ombudsman based in the U.S. if they feel a business has not dealt with their complaint properly, according to the agreement. The ombudsman proposal was first raised three years ago … and soundly rejected by the Commission as totally inadequate.
But let’s hold off on the champagne. The ultimate fate of “the privacy shield” lies not with the Commission in Brussels, nor U.S. commerce department officials. It lies with the national privacy regulators (DPAs) and European judges. And some are already claiming “quick fix”. The details of the ultimate EU-US privacy shield will surely reflect the efforts of the EU Commission and U.S. administration. Said one insider “the U.S. did bend over backwards … but maybe not enough”. But it will also need to reflect the wishes of the DPAs and European judges, who can block information flows if they do not get their way. They took down the original safe harbor arrangement so there is no reason why they cannot do so a second time.
Note: remember that the DPAs’ powers to scrutinise such arrangements were bolstered by the ECJ ruling. That ruling did not just invalidate Safe Harbor. It strengthened the powers of DPAs. The DPAs will offer their opinion on the new agreement tomorrow. They will also decide whether to aggressively investigate the other methods used by businesses to move data from the EU to the U.S. during the same meeting.
Max Schrems, the Austrian student who brought the initial complaint against “safe harbor”, voiced what several DPAs said at meetings today: a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500m European users in the long run, when there is explicit U.S. law allowing mass surveillance.
Most privacy activists were sharply critical of today’s deal. Jan Philipp Albrecht, a German Green member of the European Parliament who has campaigned for greater data protection, said: “This is just a joke. The European Commission sells out EU fundamental rights and puts itself at risk to be lectured by the ECJ. Again.”
And U.S. business reps are cognizant of the power of DPAs. John Higgins, director-general of Digital Europe, the most active lobby group for the tech industry, said “we ask Europe’s DPAs to view this signal from the European Commission as a sign of good faith and to hold off with any potential enforcement action until the new agreement has been fully implemented”.
So we shall see what tomorrow brings.
