Policy —

Why Safe Harbor 2.0 will lose again

Ars talks with privacy campaigner Max Schrems.

Why Safe Harbor 2.0 will lose again

BRUSSELS—Over the weekend, negotiators from the European Union's executive body and the US Federal Trade Commission worked frantically to thrash out a deal to allow transatlantic data transfers to take place. But the so-called Safe Harbour 2.0 is far from a done deal.

So how did we get here? Two men are essentially responsible: Edward Snowden and Max Schrems.

The whole world knows only too well about the whistleblowing exploits of Snowden, who infamously exposed the US National Security Agency's PRISM spying operation. What Austrian privacy campaigner Schrems went on to do with that information, once it became public in 2013, is logical but impressive in its scale. Schrems—then a law student in his mid-20s—looked at the companies accused of leaking personal information to the NSA and decided to file an official complaint about the misuse of his personal data by Facebook.

“I could pretty much have chosen any other big company that was involved in PRISM and has a European headquarters. You just need a company that is here in Europe, and some element in the US, and straight away you have two jurisdictions colliding,” he tells Ars.

Schrems speaks at a million miles an hour, as though he can't wait to explain everything that's happened and does not want to leave out even one iota of legal wrangling.

NSA HQ, in Fort Meade.
Enlarge / NSA HQ, in Fort Meade.
On the subject of any potential new agreement, he argues it would be no better and that a sector-specific approach to EU-US data transfers would be preferable. “If this case goes back to the ECJ [European Court of Justice]—which it very likely will do, if there is a new safe harbour that does not meet the test of the court—then it will fail again, and nobody wants that," he says.

“What we should be focussing on are all these other companies in the US that do not fall under mass surveillance laws and that actually could protect our data well if they had the right agreements and the right arrangements.”

So why all this fuss now? After all, the ECJ ruled the Safe Harbour agreement invalid nearly four months ago. However, as Schrems notes, it’s not the European Commission’s deadline; it’s the deadline of data protection authorities who agreed after the ruling last October to hold off on action until officials in Brussels and the US had a chance to put their house in order. Now though, January 31 has come and gone, and no deal has been signed.

“There is a bunch of data protection authorities that will still do nothing after that date. But there are others who have already started doing things, so it’s kind of a soft deadline,” Schrems says.

But this “soft deadline” is one the big US corporations are taking lightly. Phrases like “legal limbo” have been bandied about, and companies are lobbying hard to persuade the Commission that the US does have sufficient safeguards for European data. It's an assertion that Schrems finds amusing.

"It’s hilarious if you read all these documents, because they are absolutely missing the point. The tactic from the US point of view right now is to pick on the weakest link in the European Union, usually the UK—even though being compared to the UK is a prize no one wants to win in the privacy world—and say 'the US is essentially equivalent.' What they’re absolutely missing out on is that the transfer between companies falls under EU jurisdiction, while national surveillance does not, so we have different standards,” he says.

Schrems is adamant that those lobbying in favour of so-called Safe Harbour 2.0 are trying to blur the lines “by saying we have this little change here, this little change there. But none of these are substantial changes of surveillance techniques that the US has. They have not even changed their own national system to a level that would be compliant with European law.” He adds: “They are basically trying to bombard Brussels with tons of lobby paper and hope that this is going to help them."

In the meantime, some EU authorities, including the European Commission—which is the executive wing of the 28-member-state bloc—have advised companies to rely on so-called standard contractual clauses, rather than Safe Harbour, to cover their responsibilities in protecting the data of European netizens. According to Schrems, standard contractual laws are no good because, as Article 4 of the EU Data Protection Directive states, data transfers cannot happen if there’s conflicting national law. “Obviously we have conflicting national law,” he says.

So, does the man who ruined the game for those data-hungry multinationals have a solution? Sort of. He tells Ars:

What you’ve got to consider is we are talking mainly about national surveillance, which is sector specific. It’s not that the US is overall not providing adequate protection. The court has held that you can have sector specific solutions. So what I would like is to look at special laws in the US and where they are applied.

If, for example, you are Facebook or a communication service provider which falls under these surveillance laws, then you probably cannot have a new safe harbour. But other alternatives are not going to work for you either—standard contractual clauses, etc—because there are exceptions that will kind of kill your transfers in these cases.

But we do send data to India, China, Russia... all countries that do not meet the adequate standard, because there are other options to send data there. I think this whole debate has become a little crazy. The whole Internet is not going to break down.

There are very specific transfers that are not going to work. The big problem is they affect the big shots—Microsoft, Apple, Facebook, Google. The US says you have to do mass surveillance. The European Union says you can’t. This struggle is really only a problem for the big companies. But it should not be solved by the European Union just not enforcing its law.

Channel Ars Technica