Privacy groups warn a new Safe Harbor will be struck down

A group of around 40 privacy groups from both sides of the Atlantic on Friday wrote to European Union and U.S. officials to say the proposal for a new data transfer agreement is insufficient to protect privacy and will likely be struck down by regulators and Europe's high court. 

ADVERTISEMENT
“A revised Safe Harbor framework similar to the earlier Safe Harbor framework will almost certainly be found invalid by the national data protection agencies and ultimately by the [Court of Justice of the European Union],” the groups wrote.

Secretary of Commerce Penny PritzkerPenny PritzkerOvernight Cybersecurity: Privacy Shield takes effect US, EU strike data transfer deal House passes legislation blocking Boeing sale to Iran Air MORE and European Commissioner Vĕra Jourová began talks in Washington, D.C., on Thursday to hammer out the details of a new agreement after the EU court struck down the 15-year-old framework.

The original Safe Harbor agreement, negotiated in 2000, allowed companies to handle European citizens’ data by self-certifying that they met Europe’s more stringent privacy requirements.

Companies have been left scrambling for alternatives, many of which are cumbersome and expensive. Many say that a new Safe Harbor is the only way to keep data shuttling smoothly across the Atlantic.

But some experts have expressed concerns that Safe Harbor 2.0 will be struck down as summarily as the original document.

“What we now know is that [Safe Harbor] can be attacked from day one,” Susan Foster, a privacy attorney at Mintz Levin who works in both the U.S. and the European Union, told The Hill this month. “And I expect it will be.”

The problem is that while a working group of data protection authorities — separate entities from the European Commission — has given negotiators a three-month grace period to come up with an updated agreement before it will take enforcement action, some regulators are stricter than others.

Germany’s data protection authority announced last month that despite the working group’s assurance, it would be proactively investigating data transfers to the U.S., beginning with Google and Facebook.

“I think you will almost immediately see European data protection agencies attack the revised agreement,” said Marc Rotenberg, president of the digital rights advocate Electronic Privacy Information Center (EPIC) at a recent hearing held by two subcommittees of the House Energy and Commerce Committee.

EPIC, along with Consumer Watchdog, is one of the U.S. signees of Friday’s letter.

The letter calls for fundamental changes to both U.S. and EU privacy law to ensure that data transfers can continue across the Atlantic.

“The Court of Justice of the European Union has made clear that it is the ‘domestic law’ and the ‘international commitments’ of the United States that will determine whether future data transfers to the United States will be permitted,” the groups write.

“We urge you to commit to a comprehensive modernization of privacy and data protection laws on both sides of the Atlantic.”