Data exchange talks lag, jeopardizing US firms' ability to operate in Europe

Ongoing issues relating to US national security and spying imperil 'safe harbor' personal data pact

Thanks to revelations about government spying, a revamped version of a 15-year-old agreement governing the exchange of personal data between EU and the U.S. still seems a long way off, threatening the ability of American companies to do business in Europe.

The E.U. Safe Harbor framework is a set of standards for protecting the privacy of EU residents when their data is transmitted to the U.S. It contains policy directives that must be taken into account in order for companies like Google, Facebook, Microsoft and thousands of small companies in all sorts of businesses to process data in the U.S. from EU citizens.

However, the revelations by Edward Snowden about U.S. National Security Agency spying have shaken European confidence about data exchanges between the EU and the U.S. In November last year, about five months after Snowden's leaks appeared in the press, the European Commission sent a list of 13 demands to the U.S., basically saying: This is what we need you to do to keep the Safe Harbor agreement in place.

It asked the U.S. authorities to identify remedies by this summer. But so far, a deal is not in sight. That, at least, is the story that emerged this week at the Europe Data Protection Congress in Brussels. At the conference, organized by the International Association of Privacy Professionals (IAPP), attendees were given an update on negotiations on the Safe Harbor agreement by EU and U.S. officials.

Last month, U.S. lawmakers were reminded that they need to address European concerns when Andrus Ansip, the new vice president of the European Commission responsible for the Digital Single Market, said that he was willing to suspend the Safe Harbor agreement if that does not happen.

While 11 of the 13 demands have been sorted out, two are still being negotiated, said Ted Dean, deputy assistant secretary at the U.S. Department of Commerce (DOC), during the conference. The two remaining points of discussion involve national security, said Dean, who added that as his department is not the lead agency on this, he could say little on the subject.

However, of the two remaining issues, the most important is a requirement for the U.S. to only use the national security exception in the Safe Harbor agreement "to an extent that is strictly necessary or proportionate," according to Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Party (WP29), which represents European data protection authorities and advises the European Commission on Safe Harbor issues. Perhaps most importantly, European officials do not want the security exception to be used for mass surveillance of European citizens.

Aside from the ongoing slog of negotiations, U.S. and EU officials agreed that the Safe Harbor agreement is one of the most important legal-policy compliance tools between the two continents.

"These are every challenging issues," Dean said. "I have heard folks when I have been in Europe say things that to U.S. ears sound a little bit like: 'You Americans just don't understand privacy'. And I've heard things being said in the United States that I think to European ears sounds a bit like: 'We live in a dangerous world and you just don't get it'. Neither one of those characterizations is true."

The DOC wants to keep the Safe Harbor agreement in place to make sure all of the approximately 3,800 companies that signed up for it can continue to do business in Europe.

His wish to keep the agreement alive was backed by Julie Brill , a commissioner at the U.S. Federal Trade Commission (FTC), which has been acting as an enforcement authority for the Safe Harbor deal.

"I think Safe Harbor is a deeply important tool for consumer protection and privacy," she said.

She also vowed that the FTC will use the tool to bring enforcement action against companies, including Facebook or Google, if appropriate. "So I have said, please don't take it away from me. As a law enforcement official, I do not want any tools taken away," she said.

Having listened to the views of the conference attendees, Henriette Tielemans, a Brussels-based data protection lawyer who is also an IAPP board member, said: "I take from that there is hope. There seems to be a very great determination on both sides to make this happen. But there is still a long way to go."

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags GoogleMicrosoftregulationsecurityeuropean commissiongovernmentlegislationprivacyFacebookFederal Trade Commission

More about Department of CommerceEUEuropean CommissionFacebookFederal Trade CommissionFTCGoogleIDGMicrosoftNational Security AgencyNews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts