The European Commission has outlined the areas in which it wants further concessions from the U.S. before a new Safe Harbor agreement on trans-Atlantic data transfers can be reached.
"We are close, but an additional effort is needed," European Commissioner for Justice Vĕra Jourová said Monday evening. There is still a need for binding commitments from the U.S. government, with additional safeguards on access to Europeans' data by U.S. public authorities and independent oversight in the area of national security, she said.
The original Safe Harbor agreement, under which businesses transferred the personal information of European Union citizens to the U.S. for storage and processing, was invalidated by the Court of Justice of the EU last year.
The agreement was important because the EU's 20-year-old Data Protection Directive forbids the export of citizens' personal information unless it benefits from the same privacy protections abroad as at home. U.S. law alone doesn't meet that requirement, but if companies also complied with the rules of the Safe Harbor framework, then the protection provided was adequate, the Commission decided in July 2000.
Last October, the court ruled that the framework was inadequate, calling into question the legality of many companies' data processing operations.
European data protection authorities gave the Commission and U.S. officials three months to come up with a new agreement before they started auditing companies' compliance with alternative mechanisms for authorizing data transfers, and that time is fast running out.
The new framework has to fully respect the requirements of the court ruling so that any new adequacy decision can withstand legal challenge, Jourová told the European Parliament's Committee on Civil Liberties, Justice and Home Affairs.
That gives the Commission little scope to make concessions of its own: The Court of Justice has set out the conditions on which U.S. data-processing companies can seek business from their European counterparts, leaving the Commission and the U.S. government to agree on how U.S. law can meet those conditions.
"It is not an easy task to build a strong bridge between two legal systems which have some major differences," Jourová said.
The original Safe Harbor deal sought to patch those differences with a voluntary agreement binding only on the companies that signed up to it, a failing pointed out by the court. The Commission's new approach is to seek fundamental changes in U.S. law or assurances that are binding on U.S. authorities, too.
The court's ruling also threw into question the alternative mechanisms that some companies have chosen to ensure they comply with European law. The changes the Commission is seeking now should help to protect data transferred under those mechanisms, too.
Jourová highlighted four areas where there were still obstacles to an agreement.
First, there is a need for further safeguards against access to Europeans' personal data by U.S. public authorities.
"The U.S. framework has evolved since the Snowden revelations," she said. The insights former U.S. National Security Agency contractor Edward Snowden's leaks provided into the agency's operations triggered the court case that ended the Safe Harbor agreement.
There have already been important reforms that introduced stronger oversight and more transparency, she said, but the Commission is still waiting for written assurances that there will be no indiscriminate mass surveillance and that U.S. authorities' access to Europeans' personal data will be limited to what is necessary and proportionate. These assurances will be reviewed.
Second, she said, there must be independent oversight of government access to data, and the possibility for individual redress, even in cases involving American intelligence services. The U.S. Senate has not yet voted on the Judicial Redress Act, which goes some way towards this, although the House of Representatives has already approved the bill.
While the Judicial Redress Act provides that EU citizens will have the same right to redress as U.S. citizens through the courts, Jourová hinted that this may not be sufficient. In the case of complaints about the intelligence services, "This could be done by an ombudsperson with a real capacity to act, which would give a response to individual complaints," she said, according to a transcript of her speech.
In the third area, settling complaints about privacy violations by companies, a number of mechanisms have already been agreed. First, a company can try to resolve the problem itself. If that doesn't work, there is an alternative dispute resolution service. Finally, the U.S. Department of Commerce or the U.S. Federal Trade Commission could take it up. European data protection authorities will be able to channel complaints to those agencies.
These mechanisms might still leave some complaints unresolved. That's a problem, because the EU's Charter of Fundamental Rights says citizens have the right to a legal remedy, Jourová said.
"Therefore, we are working on a 'last resort' mechanism to ensure that all complaints are resolved through a binding and enforceable decision."
The fourth stumbling block is the need for commitments from the U.S. that are formal and binding, Jourová said. Since this is not a treaty but simply an exchange of letters, "We need signatures at the highest political level and publication of the commitments in the Federal Register," she said.
Work on those four points continued, with intensive discussions through the weekend, she said. "Negotiations are still ongoing, including at the political level."
Jourová planned to speak with U.S. Commerce Secretary Penny Pritzker later Monday and will discuss progress with her fellow European Commissioners on Tuesday afternoon.
Europe's data protection authorities are holding their own meeting on Tuesday. On Wednesday, they will publish their evaluation of the effect of recent changes in U.S. law on the alternatives mechanisms for trans-Atlantic data transfer.