Readers will recall a minor data protection development last year in Case C-362/14 Schrems, in which the CJEU annulled the Safe Harbor (or Harbour) framework under which data had been merrily being transferred from the EU to the US without, apparently, breaching the eighth data protection principle (in strictly DPA terms). It prompted rather a lot of commentary online, including here and here, as well as some frantic reassurances from the European Commission discussed by me here. Readers may also recall the warning issued by the Article 29 Working Party that if a solution wasn’t found by the end of January, they would be take appropriate action (drum roll please).
The more alert of you will have spotted that January has now ended. Where is the replacement Safe Harbor agreement? Good question. The Commission finally broke cover on 1 February with a speech from Commissioner Jourova, in which she explained how difficult it has been to come to any sort of agreement with the US authorities which would satisfy the strictures of the Schrems judgment. In fact, not much reading between the lines is required to discover that no deal has really been reached at all (although the speech indicates that the process has not yet been finalised).
Of particular note is the admission made, at the very end of the speech, doubtless hoping that data protection was still thought so boring that everyone would have been snoozing by that point, that there would be no international agreement, just “an exchange of letters”. This has produced a certain amount of entirely-to-be-expected ridicule online, and it is certainly difficult to see how the letters will be anything like full and binding enough to satisfy the CJEU.
The Snowden revelations of mass surveillance are to be dealt with by “specific written assurances from the U.S. that access by public authorities to personal data transferred from Europe will be limited to what is necessary and proportionate.These assurances must confirm that there is no indiscriminate mass surveillance and that safeguards for individuals also apply to non-U.S. persons”. Luckily though, the Commission has promised to keep an eye on those pesky intelligence-gathering operations. *phew*
The section dealing with oversight is extremely patchy, and the reference to it “could” be done by an Ombudsperson rather suggests that there is precisely no agreement to date on this crucial part of the Court’s complaints. Some progress does appear to have been made, however, on resolution of individual complaints, through a free alternative dispute resolution service; a hotline from your friendly national regulator to the US Federal Trade Commission; and a mysterious new ‘last resort’ mechanism which has evidently yet to be finalised.
The Commission may of course have been carrying out an exercise in lowering expectations, in which case they have succeeded admirably. Absent a host of new agreements in the next few days, the negotiations do not seem to have borne much by way of fruit. The man from Del Monte would not be impressed.
Unless this exchange of letters is actually with Santa, it seems unlikely that anything the Commission are going to be able to come up with is not going to be good enough to meet the requirements of the Schrems judgment. There are alternatives to Safe Harbor of course, but they aren’t as effective or flexible, and it does not bode well for the inter-state trade which depends on a ready ability to transfer data across the Atlantic. And that does nobody any favours (or favors).
Christopher Knight