Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

US & Europe miss deadline for new 'Safe Harbor' agreement on overseas data transfers

In spite of late-hour talks, U.S and European officials missed a deadline on Sunday to renegotiate a "Safe Harbor" agreement allowing companies like Apple and Google to shuttle data back and forth across the Atlantic.

The deadline was set by Europe's national privacy agencies, some of which have threatened legal action without a new agreement, according to the New York Times. The groups are set to publish their own judgment on Wednesday, and sources told the Times that officials involved in the negotiations are hoping to strike at least a broad deal beforehand.

Though in place for 15 years, in October, the previous Safe Harbor agreement was ruled invalid by the European Court of Justice, as it allowed American governmental agencies to gain access to the data of Europeans. The court specifically cited leaks from former National Security Agency contractor Edward Snowden, who revealed the broad reach of the organization across the globe — including the collection of data from millions of people not even under suspicion of a crime.

How data might be protected from U.S. surveillance is reportedly a major obstacle in the negotiations, as is how Europeans might be able to seek justice in American courts. The American faction is offering things like increased oversight over intelligence agencies' access to European data, and the creation of a data ombudsman at the State Department. Europeans would also be able to take direct legal action against American companies accused of using data illegally.

European negotiators are said to be concerned these arrangements might not stand up in the continent's courts, however, and asking for specifics on how the proposed programs would run.

Apple has yet to open its first European datacenters — which will launch in Ireland and Denmark in 2017 — which means that like a number of American tech businesses, it's dependent on sending data out of the region. Most such businesses should continue operating as usual for the foreseeble future, but could be forced to adopt more stringent measures and/or defend themselves against increased legal action until the landscape is settled.



4 Comments

SpamSandwich 19 Years · 32917 comments

This is why Elon Musk's idea for low-orbit satellite-based Internet makes sense. Completely take control over these pipes away from authoritarians.

williamh 13 Years · 1048 comments

This is why Elon Musk's idea for low-orbit satellite-based Internet makes sense. Completely take control over these pipes away from authoritarians.

I appreciate the thought, but the authoritarians will still be after everyone.  European privacy laws are very different from the US and very much more broad in scope and restrictive.  Even if there was a direct pipe from the EU user to the outside-EU data center, the EU laws will still apply.  The result could be that some companies will need to stop provided some services in the EU.  

williamh 13 Years · 1048 comments

Tiny bit of context:  

The US has a sector-based approach to privacy law.  Medical records are protected by one law, a students records are protected by another, financial records by another, etc. and the laws don't apply to everyone.  For example. HIPAA privacy rule basically applies to insurance  companies, those who transmit records to insurance companies (doctors, etc.), and those who provide services for either of the first two categories (companies that process medical records, etc.)  The law does not apply to a doctor that doesn't accept insurance. (Such do exist.)    It also doesn't apply to many other sorts of organizations or people that might have your health records for some reason.  In the US, when there is a data breach, it's often treated not as a violation of law but as a breach of contract or unfair trade practice.  Basically the FCC goes after an organization for not following their own stated privacy policy or some such thing.

The EU treats personal privacy like a human right and therefore it is very broad in scope. Eu member countries adopt their own laws but basically have legal protections for personal data no matter who is collecting it.

The Safe Harbor Agreements were intended to facilitate data transfers between the EU and the US by establishing that a US company would be compliant with EU privacy requirements if they adopted principles upon which the EU requirements are based.   With Safe Harbor in jeopardy, US companies are more likely to be subject to enforcement actions in the EU.

John Lockwood 8 Years · 12 comments

I think one of the triggers for this disagreement was the US government blatantly trying to bypass EU Data Protection legislation by ordering Microsoft to hand over emails stored on a server located in Ireland. The US government did not bother to apply for a search warrant in Ireland where the server was located and even when the Irish government offered to assist in processing a warrant the US government persisted in ignoring that and continuing to take legal action against Microsoft.

This was at the time a very high profile legal case with enormous ramifications for the Cloud/SAAS industries but ended up fizzling out as the defendant ultimately plead guilty to the charges meaning the email evidence was no longer needed.

See https://www.washingtonpost.com/world/national-security/microsoft-fights-us-search-warrant-for-customer-e-mails-held-in-overseas-server/2014/06/10/6b8416ae-f0a7-11e3-914c-1fbd0614e2d4_story.html and http://dataethics.eu/en/microsoft-vs-us-can-sink-safe-habor/ amongst others.

Still the extremely high handed and illegal attitude of the US government was at least partly responsible for the pre-existing data 'safe harbour' agreement between the US and the EU being revoked.

This along with the fact that the US has been caught eavesdropping on the mobile phone of Chancellor Merkel of Germany has really pissed of Europeans.

By the way while the currently rejected proposals of the US government offer (supposedly) legal redress to EU citizens against US corporations what about legal redress against the US government itself which has been proven to spy illegally on EU citizens and to ignore EU laws. Can't see them allowing that.