Maximilian Schrems, who filed the complaint that eventually led to the Court of Justice of the European Union (CJEU) invalidating the Safe Harbor agreement between the EU and the U.S., published an in-depth analysis of what could happen next in a post-Safe Harbor world.
Safe Harbor Alternatives
Many people have thought that to fix the lack of a Safe Harbor agreement, U.S. companies would just add yet another disclaimer to their privacy policies, which few people ever read, and be done with it. But EU's privacy laws, and the recent ruling, wouldn't make that possible.
The CJEU made it clear that transfers of EU data to U.S. servers without adequate protections interferes with the fundamental rights of EU citizens, and any deal or policy that would continue to allow that to happen would not be valid.
Therefore, companies can't simply ask EU users for consent in a hidden way, hoping they can get away with it. Schrems noted that, under the Directive 95/46/EC, the consent would have to be freely given, specific, informed, and unambiguous.
According to Schrems, companies would not be able to hide or downplay their cooperation with the U.S. government through the use of expressions such as "may be subject to," or when their policies are referring to types of surveillance, through expressions such as "is subject to U.S. law."
U.S. companies would likely be trapped between U.S. gag orders telling them not to specify when or for what purpose was the access to the user's data needed, while EU law would demand exactly that to be revealed to the EU user.
In regard to the user's consent being "freely given," Schrems thinks that users don’t "freely give" their private information to the NSA if they simply agree to use a service such as Facebook. Instead, the user is giving it because it's the only way to access the service, so the decision is made "under pressure."
This would be similar to other types of contracts where users are "giving consent" with their signature, but if that signature was offered under pressure, then it's usually not considered legally binding.
Max Schrems believes that the route most U.S. companies will take is to use a third party that is not subject to U.S. surveillance laws, for B2B transfers of EU user data. In such cases, the data would be first collected by this other company, and only then transferred to the U.S. company. However, he noted that this is unlikely to withstand CJEU scrutiny.
Requirements For Safe Harbor 2.0
Just before the Advocate General published his negative opinion on the Safe Harbor agreement, and before the CJEU ruled it invalid soon after, the EU Commission had already announced that it had almost finished a new agreement with the U.S. regarding data transfers. The negotiations started in the post-Snowden revelations aftermath, when EU officials learned what the U.S. was doing with everyone's data.
However, the Commission hasn't been too transparent about it, so we don't know what they were planning to change. The new agreement will likely require major modifications of whatever was already negotiated (likely much more in favor of the U.S. than it has to be now post-CJEU ruling).
In the Safe Harbor ruling, the CJEU said that to use EU citizens' data, companies, together with the U.S. government, would have to ensure "adequate protections." This seems like a rather ambiguous term, which at the very least could mean some "basic privacy protections" for the EU citizens' data.
Schrems said that the CJEU later clarified that what it meant by "adequate" protections is "essentially equivalent" protections. This is a much stronger definition of "adequate." It could ultimately lead to either a much more limited collection of EU data by U.S. companies, or for the U.S. government to agree to guarantee "essentially equivalent" privacy protections for EU citizens in the U.S. to the ones they get in the EU.
Schrems added that the new EU Data Protection regulation, which is currently about to wrap up as well, would not be able to "bypass" the CJEU ruling through weaker regulation, because then it could also be invalidated. The new EU Data Protection regulation won't come in force until 2018 anyway, so it can't be any sort of short term fix for the lack of a Safe Harbor agreement.
The CJEU ruling also requires "effective detection and supervision mechanisms," which didn't exist in the old Safe Harbor agreement. The violations will have to be "identified and punished in practice," which is another thing that hasn't happened too much in the past.
The Court left room for self-certification mechanisms to continue to exist, but with one big caveat: There must not be any conflict with U.S. law. If the U.S. law requires companies to do something that their self-certification says they won't do, then that will not be considered valid self-certification.
The CJEU criticized the old Safe Harbor agreement for not covering U.S. public authorities, as well. A new Safe Harbor would need U.S. privacy laws in regard to foreigner data in order to comply with EU privacy standards.
More Powers For DPAs
The CJEU ruling also gave more power to national Data Protection Authorities (DPAs). Even if a new agreement provides the adequate protection, they can still override data transfers to the U.S. if they find U.S. mass surveillance against their citizens.
The mass surveillance issue is going to be the hardest to resolve, according to Schrems. This is because it seems to be hard even for U.S. citizens to complete a mass surveillance trial, which means it would be much harder still for foreigners to get redress in a mass surveillance case.
However, without this issue fixed, U.S. companies may find it very difficult to do business in the EU, which could be an incentive for the U.S. government to try to fix it. After all, the relationship with the EU seems important enough that the current administration is trying to pass not one, but two US-EU trade deals: TTIP (Transatlantic Trade and Investment Partnership) and TiSA (Trade in Services Agreement).
Safe Harbor 2.0 Soon?
Because creating a Safe Harbor 2.0 would mean getting the U.S. to agree to either drastically reform its surveillance laws or to accept the strong EU data protection directive, Max Schrems thinks is unlikely to happen in the near future.
Also, even if a CJEU-proof Safe Harbor 2.0 is eventually created, U.S. companies may have already moved to alternative legal loopholes that allow them to transfer at least some of the data they are transferring right now. By then, many of them may already choose EU data localization and U.S. and EU product separation as a strategy as well. At that point, adhering to a new Safe Harbor 2.0 may not be necessary anymore, but it all depends on how fast the EU Commission and the U.S. government will move to agree to a solution that wouldn't get invalidated by the CJEU again.
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.
You can follow him at @lucian_armasu. Follow us @tomshardware, on Facebook and on Google+.
I'm surprised the (US) companies haven't bought a ton of lobbyists spreading money around to change to course of thing. Perhaps (hopefully) that doesn't work with the CJEU or it hasn't been up for voting in the parliament...
I'm also afraid TTIP will just be another Safe Harbor debacle, I have very little confidence in the workings of the EU, which seem to have a life of it's own, separate from the sovereign states it comprises.
I can only hope the EU will get stronger data protection laws in place quickly though.
Companies should comply with these changes, and sue the US Government for forcing them to do so.