The European Court of Justice has today declared invalid the Safe Harbor data-transfer agreement that has governed EU data flows across the Atlantic for some fifteen years.

“The Court of Justice declares that the Commission’s U.S. Safe Harbour Decision is invalid,” the ECJ said in a statement today, reported by Reuters.

Some 4,700 companies rely on Safe Harbor to operate businesses in the region. It affects those companies that outsource data processing of E.U. users’ data to the U.S.

The Safe Harbor executive decision allows companies to self certify to provide “adequate protection” for the data of European users to comply with the European data protection directive, and with fundamental European rights such as the right to privacy (under Article 8 of the European Convention for the Protection of Human Rights).

In an EC press conference on the ECJ ruling today, FVP of the Commission, Frans Timmermans, said: “Today’s judgement by the court is an important step towards upholding European’s fundamental rights to data protection. The court confirms the need of having robust data protection safeguards in place before transferring citizens data.”

The Safe Harbor rules were already under review by the European Commission, in the wake of the Snowden revelations expose of how U.S. intelligence agencies’ surveillance apparatus taps into commercial Internet services, with data protection commissioner Viviane Reding stating back in July 2013 that Safe Harbor “may not be so safe”.

The Commission issued 13 recommendations for improving Safe Harbor in November 2013 but negotiations to rework the framework are ongoing.

“We have been working with the American authorities to make data transfers safer for European citizens. In light of the ruling we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic. In the meantime transatlantic data flows between companies can continue using other mechanisms for international transfer of personal data available under EU data protection law,” added Timmermans.

Today’s ECJ’s judgement is the culmination of a 2013 legal challenge by European privacy campaigner Max Schrems who filed complaints against several U.S. Internet giants — including Facebook — in the Irish courts for alleged collaboration with the NSA’s Prism program. The Irish courts dismissed the complaint, on the grounds that the European Safe Harbor agreement governed such data flows — referring the case to the ECJ. The latter has now ruled that European data protection authorities cannot rely on the umbrella of Safe Harbor to govern their decisions.

https://twitter.com/maxschrems/status/651300558331097088

In an initial response to the ruling, Schrems said it “draws a clear line” by clarifying that mass surveillance “violates our fundamental rights”.

His statement reads:

I very much welcome the judgement of the Court, which will hopefully be a milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.

The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it.

This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.

At the same time this case law will be a milestone for constitutional challenges against similar surveillance conducted by EU member states.

There are still a number of alternative options to transfer data from the EU to the US. The judgement makes it clear, that now national data protection authorities can review data transfers to the US in each individual case – while ‘safe harbor’ allowed for a blanket allowance. Despite some alarmist comments I don’t think that we will see mayor disruptions in practice.

Late last month, the top advisor to the ECJ, Yves Bot, issued an opinion that suggested the court would invalid Safe Harbor. In a last minute PR scramble in recent weeks — as the ECJ decision loomed — both the U.S. mission in Europe and Robert Litt, the general counsel from the office of US director of national intelligence, have been attempting to argue that U.S. intelligence operates ‘targeted’ not mass surveillance, despite the dragnet approached detailed in the Snowden documents.

Writing in an article in the FT only yesterday, Litt argued that the NSA’s Prism data harvesting program “does not give the US “unrestricted access” to data”, claiming: “Rather, the US may obtain communications only relating to specific identifiers, such as an email address or telephone number; only if the US believes those identifiers are being used to communicate foreign intelligence information; and only with the legally compelled assistance of communications service providers under the supervision of an independent court.”

Such interventions have clearly failed to sway the court, however, which notes in its judgement today earlier conclusions by the European Commission that “the large-scale access by intelligence agencies to data transferred to the [U.S.] by Safe Harbor certified companies raises additional serious questions regarding the continuity of data protection rights of Europeans when their data is transferred to the [U.S.].”

Referring to the EC’s November 2013 communication, the ECJ further notes: “It is apparent, in particular, from points 3 to 5 and 8 of Communication COM(2013) 847 final that, in practice, a significant number of certified companies did not comply, or did not comply fully, with the safe harbour principles.”

Commenting on the ruling to TechCrunch, Marion Oswald, senior fellow in law at the University of Winchester, adds: “It seems to be definitely that the court is making a definite decision about the privacy impact of mass surveillance. It is concerned also about individuals having a way of challenging that and having a right of recourse via their own domestic data protection authorities.”

So what happens next, from the tech industry perspective? The judgement opens U.S. Internet businesses with users in Europe to privacy challenges if they are processing E.U. data in the U.S. The court has not allowed for a transitionary period, which may accelerate moves by U.S. Internet companies to adopt strong encryption — something we have already been seeing in the wake of the Snowden revelations.

Or else companies will need to restructure their European data processing operations — such as building European data centers to process regional data — although such shifts might require other significant procedural changes in how they manage user data flows, so could entail significant time and expense. Larger companies may have the resource to restructure (more) quickly, but smaller entities may struggle. (One type of business that will be gaining uplift from the ruling and the uncertainty it generates is the law firms that will now be deluged for advice…)

Schrems argues there may be a political fix in the near term if the EC and the U.S. government hammer out a new Safe Harbor agreement, although he argues it “will very likely require severe changes in US law and more than just an update to the current ‘safe harbor’ system”, adding: “Otherwise full compliance with EU fundamental rights and the judgement will be very hard to achieve.”

Commenting on the ECJ ruling in a statement, MEP and Civil Liberties Committee Chair, Claude Moraes, said it forces the EC to act to “come up with immediate alternative to Safe Harbor” — although he expressed disappointment at the lack of a more detailed EC update on the process. “The Commission has been in negotiations with the U.S. for over a year on improving the framework but we have still received no update on these discussions,” he noted.

“The Commission must immediately put forward a new complete and strong framework for transfers of personal data to the US which complies with requirements of EU law as enshrined in the Charter of Fundamental Rights and EU data protection rules and provide our citizens with solid, enforceable data protection rights and effective independent supervision,” he added.

Speaking during the Commission press conference, EC justice commissioner Vera Jourová noted there are alternative mechanisms for companies to share data ahead of an updated Safe Harbor framework, such as “standard data protection clauses in contracts” or “binding corporate rules for transfers within a corporate group”.

“Also the data protection rules include derogations under which data can be transferred on the basis of performance of a contract,” she continued. “For instance if you book a hotel in the U.S. your personal data are transferred there in order to fulfill the contract. Another options is important public interest grounds, such as co-operation between authorities in the fight against fraud cartels and so on.

“Another option: the vital interest of the data subject. It means in urgent life or death situations personal data, such as medical records, can be transferred internationally in the person’s own interest. Or if there is no other ground, the free and informed consent of the individual.”

She also confirmed that negotiations on the update to Safe Harbor are still ongoing, but declined to give a timeframe for completion, saying national security issues have required more time for the process — although she did suggest the ECJ ruling invalidating Safe Harbor gives the Commission a stronger negotiating position as those discussions continue.

U.S.-based pro-privacy and digital rights organization, TACD, today dubbed the ECJ ruling “a major global victory for privacy”. It advocates for a global set of data protection standards, and for the U.S. specifically to enact a comprehensive set of data privacy rules to bring it into line with other global regions that do have such rules.

In a statement, Finn Myrstad, EU chair of the TACD Information Society Policy Committee, said: “This case, and multiple others, has shown the privacy and fundamental rights of European citizens are not respected. We need a much better framework that engenders trust and promotes privacy and security of personal information. Only then can we have a digital economy to the benefit of consumers on both sides of the Atlantic.”

In the short term the ECJ ruling puts more emphasis on national data protection authorities, which will be fielding any complaints and ruling on them. So regional differences could be be significant, as Winchester’s Oswald notes.

“There’s been a lot of difference in terms of the attitude of different national DPAs to big corporates in particular,” she told TechCrunch. “In the U.K. the ICO certainly has taken a very business friendly approach. They’ve a tendency to come to negotiated agreements rather than taking aggressive enforcement action, whereas on the continent in particular the attitude has been quite different.”

“There may well be a risk here that there will be different views taken, and a different approach taken — certainly in the U.K. to some of the DPAs on the continent,” she added.

However the EC stressed as one of its priorities in the wake of the judgement to issue “clear guidance” for national data protection authorities — specifically to avoid any “patchwork” or fragmentation in their response, and ensure a “co-ordinated European approach in the internal market” to ensure more clarity for businesses.

“The Commission will work closely with the data protection authorities,” said Jourová. “We’ve started intensive discussions with the DPA authorities and with the Working Party 29 because what we have to ensure together is the unified approach of the data protection authorities because now we are under 28 regimes.”

(The WP29 has also now put out a response statement, in which it notes it will be kicking off initial expert discussions this week — “in order to provide a coordinated analysis of the Court’s decision and to determine the consequences on transfers” — with a full meeting of the working party due to be “shortly scheduled”.)

The forthcoming update to the EC’s data protection directive — another big EU reform still in train but which Jourová confirmed will be completed this year — is also set to harmonize rules across national data protection authorities. So the ECJ ruling looks to be accelerating the existing European data protection trajectory in that regard.

“The Commission will also do what it can to offer assistance and help to business who are looking for answers on how to facilitate data transfers in light of the judgement. We will put relevant information and contact points on our website,” added Jourová.

Responding to the ruling in a statement, the Irish data protection commissioner Helen Dixon confirmed the original Schrems case will return to court in Ireland, saying she is taking steps to bring the case “back as soon as practicable before the Irish High Court”. So Schrems will get his day in Irish court (again).

“In declaring the old ‘safe harbor’ rules invalid, however, the significance of the judgment extends far beyond the case presently pending in Ireland,” Dixon added. “In that regard, my Office will immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgment can be implemented in practice, quickly and effectively, particularly insofar as it impacts on EU/US data transfers.”

A separate landmark ECJ judgement earlier this month — which ruled in favor of the Hungarian data protection authority vs a Slovakian property website called Weltimmo — may have additional implications for the application of the Safe Harbor ruling.

The Weltimmo ruling effectively means that if a company operates a service in a country it can be held accountable by that country’s national data protection agency — despite not being headquartered there. So Internet businesses such as Facebook which offer services to, for instance, German and French users may find themselves under the jurisdiction of German or French DPAs, rather than as has been the case up to now only the Irish DPA. (Related and relevant: Facebook’s privacy-related court clash with the Belgian DPA.)

The Weltimmo ruling seems another good reason for the EC to try to get national data protection authorities acting as one. The alternative, as Essex University’s Professor Lorna Woods posits, is a situation where companies targeting services at citizens of multiple European countries could have an obligation to “comply with multiple views” on what is ‘adequate’ in terms of data protection, based on variable attitudes at the national level.

“If you’re targeting people in say Germany or Belgium or wherever else then they could still say in relation to our citizens you’ve got to comply with our view of what’s adequate [privacy and data protection]. But there could be an obligation on a company to comply with multiple views of adequate,” she suggests.

Woods points to additional issues that have emerged around the operation of Safe Harbor in recent times — regarding the robustness of the self certification process, and failures by companies to comply with the rules — and says the ECJ is picking up on these problems. So the ruling is about more than just the Snowden disclosures.

“It’s saying ‘not only is it about the level of protection, it’s the practice’,” she says. “You can have this wonderful system on paper; we’re actually saying you’ve got to ensure it.

“And here we have in the background the fact that the Safe Harbor system is self certification, and we have in the background the recent activity by the FTC on companies that haven’t data self certified, they’ve not kept their certification up to date, they haven’t really done what they’ve said they’ve done. They’ve been all sorts of problems. So there’s that in the background.”

The EC’s Jourová also referred to this issue — noting in a Q&A session at today’s press conference the need for “stronger monitoring of compliance of rules under Safe Harbor on the commercial part”.

“There we already achieved quite a lot of good results in communication and negotiations with the American Department of Commerce and, I must say, that we received very strong commitments from the American authorities that there will be continuous monitoring of the reinforced Safe Harbor,” she added.

Woods’ broader view is the ECJ ruling could have serious implications for big data business models in general if companies are relying on similarly indiscriminate access to information as government intelligence agencies were revealed to have been by the Snowden disclosures.

“Quite clearly the main thrust of this is there has been an issue with… the possibility of indiscriminate access to data of all sorts,” she says, adding: “The [ECJ] are not distinguishing, interestingly enough, between data and content either. So they’re saying we don’t care whether it’s sensitive data or not sensitive data — you shouldn’t be accessing it.

“I think there is a broader issue which I don’t think we’ve got to the bottom of in Schrems. I think the court is certainly trying to limit what it’s saying but the questions are there — and the questions are there for the businesses such as Facebook, Google. Big data business models I suppose you could reduce it to. So that’s quite interesting.”

“It’s probably going to be politically inconvenient,” Woods adds. “It’s going to have repercussions on all those American data industries. Potentially far-reaching… Those companies that hoover up loads of data will be scratching their heads about this.”

Trevor Hughes, VP of Research at The International Association of Privacy Professionals, agrees there are likely to be “broader ripple affects” — although what those effects might be are not clear at this point. What is clear is that data sharing across the Atlantic has become far more legally complex for businesses than it was yesterday.

“To begin with data flows have not stopped today. Data continues to flow between Europe and the United States and will likely continue to flow for the foreseeable future,” Hughes tells TechCrunch. “It’s unlikely that will stop. However the risk profile for organizations has increased exponentially.

“Theoretically every organization that previously was in the Safe Harbor is out of compliance with European data protection law today and is subject to the enforcement risks of a data protection authority coming after them. How organizations respond to that — whether they begin to build more data centers in Europe — whether they seek other mechanisms for permissively transferring data, not just to the U.S. but around the world, I think a lot remains to be seen as to how we move forward.”

“Big data, cloud providers, global multinationals, large Internet and tech companies — I think all are spending a lot of time today assessing exactly what their risks are and what this means,” he adds.

A privacy lawsuit filed against Facebook last year by Viennese lawyer and data privacy activist Max Schrems has moved up to Austria’s Supreme Court which will rule on whether the suit can be treated as a class action.

When Schrems kicked off the suit, back in July 2014, he invited adult non-commercial Facebook users located anywhere outside the U.S. and Canada to join the suit for free — and tens of thousands of people quickly took up the invitation.

The legal action focuses on multiple areas where the plaintiffs argue Facebook has been violating EU data protection laws, such as the absence of effective consent to many types of data use; the tracking of Internet users through external websites; and the monitoring and analysis of users via big data systems. Facebook’s participation in the NSA’s PRISM surveillance program is also part of the complaint.

In July the case suffered a setback when an Austrian regional court ruled the suit inadmissible, saying it had “no jurisdiction” over the matter. However an appeals court subsequently ruled Schrems can file personal claims at his local court in Vienna, as he falls under the relevant consumer protection laws. But he’s still pushing for the suit to be heard as a class action.

The wider legal sticking point is over whether European courts will allow the bundling of similar claims into a formal class action — as Schrems has been hoping.

“It would not make a lot of sense for the court or the parties before it to file these claims as thousands of individual lawsuits — which we can still do if a ‘class action’ is not allowed. We therefore think that the ‘class action’ is not only legal but also the only reasonable way to deal with thousands of identical privacy violations by Facebook,” he argues in a statement.

At the time of writing Facebook had not responded to a request for comment on the case. A Facebook spokesperson said: “We’re awaiting the decision.”

The Austrian Supreme Court will now rule on whether it agrees with Schrems’ logic on the class action point. It could also choose to refer the matter to Europe’s top court, the ECJ. But even if the Supreme Court will not allow a formal class action Schrems notes he can still file the action as a model case — so Facebook will have to answer his complaints in court, either way.

This October the privacy activist won a landmark legal victory at the ECJ when the court struck down a fifteen-year-old transatlantic data flows agreement (Safe Harbor) following another privacy-related case he brought against tech companies, including Facebook. In that action he had argued that data-sharing activities by commercial tech giants companies with the U.S. government’s mass surveillance programs violated fundamental European privacy rights. The ECJ agreed.

The Austrian Supreme Court is expected to make a decision on Schrems’ latest Facebook-related privacy suit at the beginning of 2014. After the admissibility of the lawsuit is decided, the Vienna Regional Court will then set a date for the first hearing.

Facebook is also embroiled in a privacy-related lawsuit in Belgium, following action taken by the national data protection authority. Earlier this month a court in Belgium imposed daily fines on Facebook if it did not change how its tracking cookies process the personal data of non-Facebook users. Facebook said it would be appealing that decision.

Facebook had sought to argue the Belgian courts had no jurisdiction over the tracking cookies matter because its European headquarters are sited in Ireland. However that argument was slapped down by the Belgian court.

The ECJ Safe Harbor strikedown has undoubtedly put more emphasis on European Union Member States’ national data protection authorities to rule on data protection issues.

The principle of legal jurisdiction for data protection matters being limited to authorities and courts where a company has its European headquarters has also been dealt a significant blow by several recent ECJ rulings. And data protection compliance for Facebook and other large tech companies operating across multiple European countries has quickly become a whole lot more complex.

Meanwhile, the European Commission is continuing talks with the U.S. to try to hammer out a new Safe Harbor framework to govern transatlantic data-flows — saying earlier this month that it wants a new deal to be agreed by January 2016. However it also said that securing such a deal will require the U.S. to enact more changes and reforms in its intelligence gathering and surveillance programs.

Facebook’s least favorite Austrian, lawyer and privacy campaigner, Max Schrems, has updated his data protection complaints against the social network giant in the light of the recent EJC strikedown of the Safe Harbor transatlantic data-sharing agreement.

Schrems has now filed an updated complaint against Facebook with the Irish data protection authority — where his original complaint was filed back in June 2013. The substance of the complaint relates to European Facebook users’ data being pulled into NSA mass surveillance programs once it has been exported to the U.S. — and thereby, Schrems contends, undermining fundamental European data protection rights.

The Irish DPA dismissed the original complaint back in July 2013 on the grounds that the fifteen-year-old Safe Harbor agreement, which Facebook was signed up to, apparently took precedence as the overarching governing mechanism for data transfers. However that position was blown out of the water by the EJC Safe Harbor ruling this fall — hence Schrems’ updating and redoubling his complaints now.

“We want to ensure that this very crucial judgement is also enforced in practice when it comes to the U.S. companies that are involved in U.S. mass surveillance,” said Schrems referencing the Safe Harbor ruling in a statement on his latest data protection complaints. “The court’s judgement was very clear in this respect.”

Safe Harbor is no long an option for companies to legalize data flows going West across the pond — albeit the European Commission and the U.S. are busy trying to hammer out a replacement deal (with a deadline of January 2016 to secure a so-called ‘Safe Harbor 2.0’). U.S. intelligence agency access to data is, unsurprisingly, the big sticking point for any new agreement.

Schrems has also filed two further complaints about the same issue, one with the Belgian data protection authority, and another with the City of Hamburg’s DPA in Germany. These are the “first round” of what his Europe vs Facebook privacy campaign organization dubs “co-ordinated complaints”. So Facebook should expect to be dealing with a European data privacy war that’s being waged on an increasing number of fronts.

The three complaints call for the respective DPAs to suspend all data transfers from Facebook’s European HQ to its U.S. operations — with a “reasonable implementation period” suggested to allow the company to transition to an alternative arrangement that would be compliant with the ECJ ruling. (Schrems suggests Facebook’s options here could include: “moving data to Europe, encrypting data that is stored in the United States or reviewing the corporate structure”.)

He is also calling for DPAs to conduct an audit of Facebook, as the data importer, and any sub-processors — a suggestion targeting all Facebook’s worldwide offices, data centers and relevant documents of Facebook Inc, as well as all sub-processors of Facebook data.

Schrems’ strategy of filing complaints with multiple individual European Union Member States’ DPAs follows several European Court of Justice rulings which have clearly strengthened the position of national DPAs when it comes to data protection complaints — including in the so-called ‘right to be forgotten‘ case against Google last year, and an ECJ judgement this year ruling in favor of the Hungarian data protection authority vs a Slovakian property website called Weltimmo.

The Belgian DPA has also been pursuing its own privacy-related action against Facebook, filing a civil suit this summer over Facebook’s use of cookies to track non-Facebook users, and going on to convince a judge it does indeed have jurisdiction over the company (Facebook had tried to claim there was no legal route for it to be sued in Belgium because its European headquarters are in Ireland). Facebook has apparently agreed to comply with the Belgian court’s order not to continue tracking non-users, while it continues contesting the ruling.

While the Hamburg DPA was very quick off the mark, post ECJ Safe Harbor ruling, to announce its own investigation of Facebook’s (and others’) data transfer arrangements. The DPA has a history of actively investigating privacy-related complaints. After the Safe Harbor ruling, Hamburg’s data privacy commissioner, Johannes Caspar, also stated: “Anyone who wants to remain untouched by the legal and political implications of the judgement, should in the future consider storing personal data only on servers within the European Union.”

Schrems notes his lawyers wrote to Facebook to ask what alternative data transfer methods the company is using in the wake of the Safe Harbor strikedown — obtaining a copy of the contractual agreements it claims it is using. Such agreements have an exception for cases of illegal “mass surveillance” in Schrems’ view — so he’s convinced these transfer methods will not pass muster with the DPAs.

“All relevant EU decisions include an exception for cases of mass surveillance,” notes Gerard Rudden of Ahern Rudden Quigley Solicitors, who is representing Schrems in Ireland. “There is no ‘quick fix’ through alternative transfer methods for companies that are involved in the violation of European fundamental rights.”

Schrems is also arguing that any new Safe Harbor deal will be irrelevant, because the ECJ ruling is based on the European Charter of Fundamental Rights — so again a data transfer agreement will not be able to overrule the court’s findings in cases of mass surveillance.

Unless the U.S. government has a Damascene conversion to Europe’s way of thinking about privacy as a fundamental right, and outlaws its own mass surveillance programs, there are going to be multiple routes for privacy complaints to be filed in Europe against U.S. companies like Facebook, which operate services in the region — at least until the companies themselves restructure their European operations to reflect the new post-Snowden digital data reality.

Microsoft’s recent announcement of a German trustee cloud model — with a third party European company apparently acting as a firewall between Microsoft’s European customers’ data and the U.S. intelligence agencies’ data harvesting programs — is one example of how EU-U.S. data flows might be restructured in light of the Safe Harbor strikedown.

https://twitter.com/maxschrems/status/672351668936294400

Responding to Schrems’ latest complaints in a statement, a Facebook spokesperson provided the following emailed statement to TechCrunch:

We have repeatedly explained that we are not and have never been part of any program to give the U.S. government direct access to our servers. Facebook uses the same mechanisms that thousands of others companies across the EU use to transfer data legally from the EU to the US, and to other countries around the world. These issues are being examined by the Irish Data Protection Commission (DPC) at the request of Mr Schrems. We are cooperating fully with the DPC and are confident that this investigation will lead to a comprehensive resolution of Mr Schrems’ complaints.

Although Schrems’ complaints are continuing to target Facebook principally, the original Europe vs Facebook mass surveillance complaint from 2013 also referenced other U.S. tech companies that had been referenced in documents leaked by NSA whistleblower Edward Snowden as also being involved in the NSA’s PRISM data collection program — including Apple, Microsoft and Yahoo.

A deadline to agree a new deal to govern transatlantic data transfers has passed without agreement on a new, safer ‘Safe Harbor’. But talks are continuing — and Věra Jourová, the EC commissioner heading the negotiations from the European side, said today that a deal “is close”, although she emphasized that “an additional effort is needed”.

The original fifteen-year-old Safe Harbor agreement, which had allowed some 4,700 companies to self-certify they would provide adequate protection of European citizens’ data once it was in the U.S. for processing, was ruled invalid by Europe’s top court, the ECJ, in October last year, leaving businesses scrambling to figure out how to operate legal data transfers in the meanwhile, while US and EC officials tried to hammer out a new agreement.

The deadline to seal a new deal was set by the EC back in November, giving negotiators three months to set out their stalls, before any European Data Protection Agencies would start enforcement actions against companies suspected of breaching European law. Now that deadline has passed, there’s nothing to stop DPAs starting enforcement actions. Although if a new Safe Harbor deal really is close the current legal limbo may close up soon enough.

Or that closeness may turn out to be the deceptive proximity of parallel legal universes.

Sticking points for the European negotiators are that it is still looking for further clarification on transparency and effective oversight, according to a spokeswoman for Jourová, who is the Commissioner for Justice, Consumers and Gender Equality.

Making a statement in the European Parliament on the current state of play, Jourová fleshed out these sticking points in more detail. The agreement must be “fundamentally different” to the old Safe Harbor, she asserted, and must be able to withstand any future legal challenge — such as the case brought by Max Schrems that led to the ECJ striking down the original agreement last year.

“We have tried hard to obtain commitments from the US to ensure that any new arrangement meets the requirement of the court ruling. We are aiming… for a robust new system that unlike Safe Harbor ensures that any individual complaint is resolved, includes guarantees that access by public authorities is limited to what is proportionate and necessary, and third main different from the old Safe Harbor, this new arrangement will be closely monitored and reviewed on a regular basis with the involvement of national security bodies and data protection authorities,” she said.

“I will not hide that these talks have not been easy. It is not an easy task to build a strong bridge between two legal systems which have some major differences. But I believe that the close partnership between Europe and the US deserves these special efforts,” she added, throwing a little soft soap over what have evidently been some pretty spiky late night discussions.

Jourová has previously said that the US adopting the Judicial Redress Act is a necessary step to achieving a new deal — to provide a path for EU citizens to sue over privacy complaints in the US. A Senate judiciary committee passed the Act late last week. However it also passed a last minute Republican amendment that provides for an exception on national security grounds — thereby undermining the entire point of the measure, from an EC perspective. Not the greatest message to send to negotiations hanging in the balance at the eleventh hour then…

On national security agencies’ access to data point, Jourová today reiterated there must be “limitations and safeguards”, as well as independent oversight and redress. She also reiterated there can be “no indiscriminate mass surveillance”. (The key irony word there being indiscriminate — more on that below…)

“The Schrems ruling has made clear that [public authorities’ data] access must be limited to what is strictly necessary,” she said. “The US framework has evolved since the Snowden revelations, there have been important reforms under President Obama introducing stronger oversight and more transparency.

“In the context of our negotiations we are obtaining specific written assurances from the US that access by public authorities to personal data transferred from Europe will be limited to what is necessary and proportionate. These assurances must confirm that there is no indiscriminate mass surveillance and that safeguards for individuals also apply to non-US persons.”

Specifically, Jourová said it is necessary for the US to create a “functionally independent body” — such as an ombudsman — which could answer complaints by European citizens about the use of their data by public authorities in the US.

She also said the negotiators were working on “a last resort mechanism” to ensure all complaints are resolved “through a binding and enforceable decision”. She noted that the FTC is more involved in setting strategy than individual complaint handling. And said it will be necessary for EU DPAs to have “an active role” in handling complaints. No complaints by European citizens about data privacy should go left unanswered, she stressed.

“This is essential for a new arrangement. Given that the right to legal remedy is enshrined in our charter of fundamental rights,” she said.

Jourová also made it clear that any new agreement would itself be subject to ongoing oversight. So no more deals that run on unchecked for fifteen years. Instead there would be an annual joint review process looking at “all aspects of the arrangement”.

“Let me be very clear, we will need to continue to monitor developments in this area also in the future… This will not be one off decision. This means the start of monitoring because what we need now is trust. But we also have a duty to check,” she said.

The article 29 Working Group, comprised of representatives of all of the national DPAs, is due to hold a press conference on Wednesday in which they will discuss findings of their own impact assessment of the ECJ ruling on the alternative data transfer methods that must now be used instead of the invalidated Safe Harbor. So it remains to be seen whether they will be champing at the bit to start actions against potential infringers.

The DPAs are a varied bunch. Some, such as the UK’s ICO, frequently appear tonally far more pro-business than pro-privacy/pro-consumer. Whereas the reverse is true for France’s CNIL, or German DPAs, such as the Hamburg DPA. So how different DPAs react is going to be interesting to watch.

(At the end of last year, European privacy campaigner Max Schrems filed multiple updated complaints against Facebook, in light of the Safe Harbor strikedown, lodging the complaints with three different DPAs. Schrems has also said he intends to file more complaints against other tech companies, who should be braced for others to follow suit. And for DPAs who have more fire in their belly for consumer rights to start showing some teeth.)

That said, Jourová said talks would be continuing this evening to try to close the final gaps — so the hint is that a new deal is in fact very close.

“Finally we need commitments by the US that are formal and binding. And as this will not be an international agreement but an exchange of letters we need signatures at the highest political level and publication of the commitments in the federal register,” she added.

A sense of deja vu… 

However, for all her tough talk, Jourová was savaged during questioning by MEPs with criticism that any new Safe Harbor should be based just on an exchange of letters, rather than being a fully fledged international agreement.

She also revealed the rather salient detail that the fledgling agreement that’s still being hammered out does in fact allow for “generalized access” to data (i.e. non-targeted, mass surveillance) by the US intelligence agencies in certain circumstances… As they say, the devil really is in the detail.

https://twitter.com/maxschrems/status/694247648279318528

“Generalized access… may happen in very rare cases. In fact under three circumstances: if the tailored and targeted access is not technically or operationally possible; or if they see some very dangerous trend that needs more than targeted access. But we warn in our negotiations our American partners that this targeted access must be really prior one, it cannot be swallowed by the generalized access,” said Jourová.

She added that the EC requires these exceptions to be “very precisely described”, and to be checked via an ongoing oversight process by an independent ombudsman. But she also used the T word: trust. So it looks like the frenzied US lobbying and political pressure being brought to secure a new agreement on data flows might well have borne fruit.

All of which roundly failed to impress the man who brought down the last Safe Harbor agreement…

https://twitter.com/maxschrems/status/694248687187423233

https://twitter.com/maxschrems/status/694252591082029060

https://twitter.com/maxschrems/status/694253588525223936

https://twitter.com/maxschrems/status/694258411287007236

So, the upshot of the Safe Harbor negotiations as it stands: no legal certainty for businesses wanting to export data from Europe right now, and little legal certainty in future if the EC folds on concessions on mass surveillance — only for the ECJ to unpick that second agreement in future.

In a statement responding to developments, the US Centre for Digital Democracy dubbed it an apparent “capitulation” by the EU to US negotiators.

“The Obama Administration appears to have successfully brokered a deal that lets Google, Facebook and the other major US data companies avoid changing their business practices.  The EU’s capitulation to the U.S. negotiators puts European citizens in great peril.  Forcing them to appeal first to U.S. corporations before going to their own government regulators undermines their fundamental right to privacy,” it writes.

“Given the lack of transparency in the operations of these powerful global digital media companies, it will be impossible for individuals in the EU to even know when their data protection rights have been violated. The US does not have the necessary privacy and consumer protection laws for safeguarding its own citizens.  Nor does the Federal Trade Commission have sufficient authority to regulate the complex and massive “Big Data” apparatus that poses such unprecedented threats to everyone’s privacy.”

A new transatlantic data transfer deal has been announced today between the EU and the US. The new EU-US Privacy Shield will replace the old Safe Harbor agreement, which was invalidated by the European Court of Justice last October, on the grounds that US mass surveillance programs were violating fundamental European privacy rights.

At that point talks to update Safe Harbor had already been going on for several years, ever since the 2013 Snowden revelations disclosed the extent of government agencies’ access to data. However the ECJ strike down of Safe Harbor brought fresh imperative to the process, and the EC set a three month deadline to agree a new deal.

Although the two sides didn’t quite secure a new deal by that deadline, commissioner Vera Jourová said yesterday a deal was close. Evidently very close, with the EC today announcing a new framework has been agreed to govern the flow of data across the atlantic.

Although, it should be noted, no text of the agreement has yet been published — and that process is apparently “some” weeks out, so plenty of questions remain. And some continued uncertainty for US businesses needing to be in compliance with EU law in the meanwhile.

The EC said today:

The EU-US Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.

Specific elements of the new agreement highlighted by the EC are what it dubs “strong obligations” on companies that handle Europeans’ personal data, coupled with “robust enforcement”.  The US Department of Commerce will monitor that companies publish their commitments, which the EC said in turn makes them enforceable under US law by the FTC. Companies handling human resources data from Europe will also have to comply with decisions by European DPAs.

It also flags up what it describes as “clear safeguards and transparency obligations” on US government agencies’ access to data, noting that for the first time the US has given the EU written assurances that access will be subject to “clear limitations, safeguards and oversight mechanisms”.

It also notes that the US has “ruled out indiscriminate mass surveillance” on European personal data transferred to the US under the new arrangement — although yesterday Jourová conceded there would be three exceptions where mass surveillance is in fact allowed: if targeted surveillance is not technically or operationally possible, or if they see some “dangerous new trend” that needs more than targeted access.

US agencies’ access to European citizens’ data will be regularly monitored under the new agreement, via an annual joint review process, which will also look at all aspects of the agreement. The review will be conducted by the EC and the US Department of Commerce, with national intelligence experts from the US and European Data Protection Authorities also invited to take part.

On the matter of redress for EU citizens wanting to complain about misuse of their data in the US, the EC says the new arrangement offers “several” possibilities, with companies having deadlines to reply to complaints, and European DPAs able to refer complaints to the Department of Commerce and the FTC. Complaints on possible access to data by national intelligence authorities will be referable to a new Ombudsperson — with the position created as part of the arrangement.

In terms of next steps, the EC said it will prepare a draft “adequacy decision” in the coming weeks — although it still has to convince other parts of the European political machinery to accept this draft (so, as others are arguing, a deal is not really done yet). It added that the US side will need to make the “necessary preparations” to put in place the new framework, monitoring mechanisms and new Ombudsman. Assuming the rest of the European project can be convinced that the Privacy Shield does not contain the same fatal flaws as Safe Harbor.

Business groups, such as the US Chamber of Commerce and the UK CBI, unsurprisingly welcomed the announcement, but others have warned the legal footing here may prove just as flawed as the prior Safe Harbor.

Making an initial statement on the Privacy Shield deal, European privacy campaigner Max Schrems, whose legal action against Facebook ultimately brought down the original Safe Harbor, expressed scepticism the deal goes far enough to stand the test of another legal challenge at the ECJ.

“The Court has explicitly held, that any generalized access to such data violates the fundamental rights of EU citizens. The Commissioner herself has said this form of surveillance continues to take place in the US yesterday. Today there should be some agreement, in whatever form, that ensures that EU data is not used anymore. This will be the sticking point for a new challenge before the Court in respect to national surveillance,” he noted.

Also commenting critically on the announcement, MEP Jan Philipp Albrecht, who was closely involved in the multi-year process to update European data protection regulations which finally yielded agreement last December, dubbed the deal “little more than a reheated serving of the pre-existing Safe Harbor decision” and a “sellout of the fundamental EU right to data protection”. He also suggested it would not pass muster with the ECJ in future.

“The EU Commission’s proposal is an affront to the European Court of Justice, which deemed Safe Harbour illegal, as well as to citizens across Europe, whose rights are undermined by the decision. The proposal foresees no legally binding improvements. Instead, it merely relies on a declaration by the US authorities on their interpretation of the legal situation regarding surveillance by US secret services, as well as the creation of an independent but powerless Ombusman, who would assess citizens’ complaints,” said Albrecht.

“The European Parliament and national data protection authorities must make clear that such a legally dubious declaration will not stand. If this framework is adopted unchanged, it can be expected that member states’ data protection authorities will exercise the new powers granted to them via the European Court ruling to subject any data transfers to additional security measures. It seems clear that this new framework will also be challenged in the European Court of Justice, as it is clear that it does not fulfil the conditions of the court’s ruling.”

And if fresh legal challenges await, as critics suggest, the Privacy Shield is not going to provide businesses with the sought for certainty. Even as it fails to uphold the red lines of European data protection law. So any momentary political point scoring on the part of the EC being able to trumpet ‘a deal’ being reached won’t, in the long run, amount to much if we end up back where we started in just a few years (or sooner).

https://twitter.com/maxschrems/status/694564283552759808

A mote of certainty for US businesses that export EU data for processing and are wondering whether or not they are in compliance with EU law right now, given the legal quagmire of EU-US data protection relations. The Article 29 Working Party, the body made up of representatives of individual European Member States’ data protection authorities (DPAs), has said today that it will not be taking enforcement action against companies that are using alternative transfer mechanisms in the wake of last year’s Safe Harbor strikedown.

The European Court of Justice invalidated Safe Harbor last October, following a legal challenge brought by European privacy campaigner Max Schrems, but the European Commission pointed companies to alternative transfer mechanisms they could use in the interim, such as standard contractual clauses and model contracts.

The WP29 has been assessing these mechanisms for the past few months, and said today that it does have concerns about their legality, in light of US government agencies’ access to European citizens’ data for surveillance purposes. However it is suspending these concerns temporarily while it waits to see details of the new data transfer deal, the EU-US Privacy Shield, announced yesterday by the European Commission.

“We will have to receive the proper documents on this announcement because it’s still words from the Commission,” said Isabelle Falque-Pierrotin, chair of the WP29 and head of France’s CNIL DPA, speaking during a press conference, and after the body met with Commissioner Věra Jourová to discuss the Privacy Shield deal this morning.

“We need to receive these documents in order to know precisely the content of these document and also the legal bindingness of this announcement. Because until now we’ve been told that it was an exchange of letters. A unilateral act from the Commission. We don’t know exactly what it covers, and what is the legal bindingness. And also we want to receive the documents in order to assess whether this EU-US Privacy Shield can answer to the wider concerns raised by the Schrems judgement as regards all the international transfer of personal data.”

So, in other words, companies that have switched from using the now illegal Safe Harbor to alternative data transfer mechanisms can breathe easy for now that they are not going to face enforcement action from European DPAs. (Although any companies still relying on Safe Harbor do not have that certainty; Falque-Pierrotin confirmed such companies are in “an illegal situation” and may face enforcement — depending on the DPAs in question, and whether they receive any complaints.)

Some European DPAs had previously suggested they might block transfers of data based on alternative mechanisms. But Falque-Pierrotin confirmed that all the DPAs have agreed to take a common position for now.

Effectively then, the WP29 has agreed to allow more time for the EU and the US to try to forge a new data transfer agreement. Although, at this stage, it is by no means certain yesterday’s trumpeted Privacy Shield will in fact pass muster. Falque-Pierrotin repeated emphasized the WP29 remains in the dark on the details of the arrangement and thus cannot judge whether it will be robust enough.

Instead, she said it has agreed to allow more time to the two sides to deliver a text with full details of the agreement — which it will then study to make a proper assessment.

“The legal format of the arrangement is still unclear for us,” she said, responding to questions from journalists during the press conference. “We had the commissioner saying this morning it was a unilateral decision from the Commission. I heard ‘exchange of letters’. To be honest we don’t know a lot about this. So we still have to wait and see exactly what is provided by US in terms of commitments.”

“It’s difficult to come to a conclusion when you are facing a political will but no real documents,” she added. “We had to find a way in our position between being too rigid and closing any type of hopes… and being too open on legitimate grounds. So we believe that the position we’ve taken is a sensible one that says we are going to wait but not too long to be able to assess the quality, the content, the legal consequences of this arrangement.

“The persons that are able to fix the situation it is the negotiators. Now we have something brought by the negotiators… Let’s give them the possibility to convince us.”

In terms of timeframe, she said that depends on the Commission. But the WP29 is calling for a full document to be delivered by the end of February. It is intending to then hold a meeting in March to assess the text, and could, she said, come to a conclusion on whether the Privacy Shield is acceptable by mid-April or the end of April — again, depending on whether the EC fulfills this timetable or not.

The WP29’s future analysis of the Privacy Shield will focus on what Falque-Pierrotin said are “four essential guarantees” — gleaned from its prior analysis of European jurisprudence — that she said must be respected when US intelligence services have access to European data, namely that:

• processing must be based on “clear, precise and accessible rules”
• there should be “necessity and proportionality” in accessing personal data from European citizens
• there needs to be an independent oversight mechanism to oversee how EU citizens’ data is being accessed by intelligence services
• there must be “effective remedies” open to EU individuals wanting to make complaints — “and anyone should have right to defend her/his right before an independent body”

“These four essential guarantees constitute a kind of European standard,” she said, adding that such guarantees must also be applied to cover data transferred to other countries within Europe.

Earlier this week it emerged that the Privacy Shield arrangement includes exceptions to allow for some US mass surveillance of EU citizens data — with Jourová listing three circumstances when “generalized access” would be allowed: “if the tailored and targeted access is not technically or operationally possible; or if they see some very dangerous trend that needs more than targeted access”. So it remains to be seen whether these exceptions can be squared with the WP29’s four essential guarantees.

The WP29 is due to issue a statement later today with more details on its position — we’ll update this story with a link when this is published.