US and EU Fail to Meet Safe Harbor 2.0 Deadline

US and EU Fail to Meet Safe Harbor 2.0 Deadline

IT commentators and think tanks have expressed disappointment at the failure of EU and US negotiators to agree on a replacement to the Safe Harbor data sharing agreement by the 31 January deadline.

Justice commissioner Vera Jourová admitted in a statement issued yesterday that “these talks have not been easy” and that “additional effort is needed” to reach agreement on a deal.

She outlined several areas where the EU has drawn a line in the sand over the negotiations.

These include getting written assurances from the US that access to personal data by the authorities will be “limited to what is necessary and proportionate,” and that no indiscriminate mass surveillance of EU citizens’ data be allowed.

There will be an annual joint revue of any agreed arrangements to ensure this is the case, she claimed.

Jourová also stressed the need for a “functionally independent body” whom Europeans can contact if they think the US is snooping on their data for reasons of national security.

Another area negotiators are working on is complaint resolution against companies in case of privacy violations.

If a complaint cannot be handled by the company itself, a free “alternative dispute resolution,” or the FTC – via a Data Protection Authority – then there should be a "last resort" mechanism to “ensure that all complaints are resolved through a binding an enforceable decision,” she argued.

“Finally, we need commitments by the US that are formal and binding,” Jourová said. “As this will not be an international agreement, but an exchange of letters, we need signatures at highest political level and publication of the commitments in the Federal Register.”

Mike Weston, CEO of data science consultancy Profusion, was pessimistic about the chances of agreement between the two sides, claiming that the “net result for the man or woman on the street will be more expensive online services and less choice.”

“The reality is that the US and Europe have completely different positions on an individual’s right to privacy online. In Europe, with the exception of the UK, the direction of travel has been towards increasing data protection,” he argued.

“Whereas, in the US, with the passage of the Cybersecurity Information Sharing Act, the Government’s position is the polar opposite. Unless there is a huge change in policy on one side of the Atlantic, agreements like Safe Harbor are doomed to failure.”

Daniel Castro, vice president of think tank the Information Technology and Innovation Foundation, was more optimistic.

He claimed in a statement that following recent changes the US now has a clear set of rules governing the authorities’ access to personal data, which “offer similar levels of protection to those found in Europe and elsewhere.”

“In the spirit of working towards an agreement that restores cross-border data flows, the European data regulators set to meet tomorrow should establish a moratorium on new enforcement actions to give negotiators additional time to find a compromise,” he added.

“Enacting temporary enforcement measures at this point would be premature and impose unnecessary costs on businesses and consumers without addressing the long-term goals of either European or US interests.”

Skyhigh Networks European spokesperson, Nigel Hawthorn, argued that in the absence of an agreement, US firms have been working to circumvent the problem by adjusting their business operations to become more European-centric.

“In fact, 27% of cloud services now offer to store data in the EU, twice as many compared to six months ago,” he claimed.

Source: Information Security Magazine