U.S.-EU Safe Harbor Renegotiation Imperiled

The end-of-January deadline for a U.S.-EU Safe Harbor (Safe Harbor) replacement – a deadline set by the European Union (EU) data protection authorities' Working Party 29 when Safe Harbor was invalidated last fall – is rapidly approaching, and a solution is not yet in sight.

Both EU and U.S. officials have expressed optimism and have reported being close to an agreement, but there remains a tangible fear that the agreement cannot be reached by the EU regulators' deadline. On January 21, Secretary of Commerce Penny Pritzker said, "It's time for us all to acknowledge that we've gone as far as we can go," while attending the World Economic Forum in Davos, Switzerland. "What we need to do is meet our deadlines now so commerce doesn't stop." Unfortunately, that same day a European Commission spokesman said, "There have been some movements on the U.S. side, which is welcome, but we need further clarification on transparency and effective oversight."

Here are the key actions (or inactions) to watch:

• Passage of the Judicial Redress Act in the U.S. has stalled in the Senate.
  • The proposed legislation would give EU citizens redress rights in the U.S. for alleged government data misuse. It is thought to be a critical piece of the Safe Harbor renegotiation, so the lack of passage right now is bad news.
• The Safe Harbor renegotiation may not be finalized by the end-of-January deadline.
  • The pressure is on, and both sides know it. The U.S. Vice President has gotten involved. The Secretary of Commerce herself is an integral part of the negotiations at this point. Major companies on both sides of the Atlantic are pressuring their governments for a solution. Those are good signs, but as with all bilateral negotiations, there are no guarantees of success.
  • If the EU draws a hard line with the Judicial Redress Act, and no other legal frameworks are devised, then the new Safe Harbor may not stand a chance.
• The EU Data Protection Authorities are holding a plenary meeting on February 2 to decide the fate of EU-U.S. data transfers more generally.
  • A range of possible outcomes are on the table, including "freezing" all new authorizations for U.S. data transfers on the basis of other data transfer mechanisms such as Binding Corporate Rules (BCRs) or Standard Contractual Clauses (SCCs).
  • The status of Safe Harbor renegotiations could affect the outcome of the February 2 meeting. If a new agreement has not been finalized (and the expected protections that will come with it implemented), there is a risk that the regulators (or at least some of them) will stop authorizing new BCRs or SCCs.
  • The fate of existing EU to U.S. data flows using BCRs or SCCs is unknown. Even if the regulators do not adopt a universal freeze on U.S. transfers, the regulators will likely be emboldened to challenge transfers on an ad hoc basis.
• Before Safe Harbor was invalidated, Israel allowed international data transfers to U.S. companies that were Safe Harbor certified (despite the fact that Safe Harbor was created for a bilateral purpose of EU-to-U.S. data transfers). When Safe Harbor was invalidated, Israel followed suit and declined to recognize Safe Harbor as a valid data transfer mechanism. However, the Israeli data protection authority announced on January 21 that they will hold off on enforcement of Israel-to-U.S. data transfer concerns related to Safe Harbor until the new Safe Harbor is renegotiated.

Israeli regulator patience is a small victory for U.S. and Israeli companies, but there remain some very serious concerns about the future of EU-to-U.S. data transfers. Thus far two potential solutions have been proposed to address European concerns. First, EU companies can maintain local servers in the EU and eliminate personal data transfers to the U.S.; or second, in addition to establishing a valid data transfer mechanism, EU companies can encrypt personal data before sending it to the U.S., to help alleviate the concern of U.S. government interception. Those solutions, of course, come with a number of practical challenges.