Since Safe Harbour fell last year it has been interesting watching the efforts to replace it. Max Schrems is to be congratulated for bringing to an end the “don’t ask, don’t tell” approach to the previous arrangements. Now everyone seems to admit they were inadequate and a replacement is needed.
The trick is how to get there when there can be very different views on privacy, people’s rights (especially non citizens), and expectations around them.
One of the interesting perspectives I read about it all was this one from Ars Technica, which talks about the way the original CJEU ruling was framed. As they say:
The careful legal reasoning used by the CJEU to reach its decisions will make its rulings extremely hard, if not impossible, to circumvent, since they are based on the EU Charter of Fundamental Rights.
So a fudge around tweaking existing laws or regulations will not be adequate.
Most of the discussion on the replacement have been happening behind closed doors, though there have been plenty of leaks. According to The Register the need for reform of Safe Harbour had been seen for a while, and suggestions had been made. However:
Not one of those recommendations was implemented by the US before the European Court of Justice struck down the agreement. Since October, occasional leaks over the negotiations have repeatedly pointed to intransigence on the part of the US intelligence services as the main stumbling block.
With the January 31st deadline about to expire things are down to the wire. I see now (via Jonathan King) that the US senate is pushing through legislation which is supposed to boost protection that Europeans can enjoy in US courts.
Personally I am a bit concerned that the details of this protection seems pretty restrictive and limiting:
the right to request access to records shared by their governments with U.S. agencies in the course of a criminal investigation, correct those records if they are wrong, and sue if the records are illegally disclosed.
That does not seem to address the routine data slurping that has been occurring.
And the legislation is only with a senate committee. An actual vote, or one with the other chamber is not likely to happen any time soon. The questions I come away with are:
- Will this actually get passed?
- Will it be adequate?
And from a personal perspective, how do these new protections for EU citizens compare to the ones Americans get? The latest proposal matches legislation from the 1970s for US citizens. But they also get constitutional protection (in theory) from surveillance by their own state. That is not something Europeans can expect.
I will be surprised if we reach a solution in this before before the end of February. With the EU having to take action after than, companies are going to be looking for local solutions to protect themselves.