The phone call that saved safe harbor

How three months, two women and a last-minute intervention brought about the new transatlantic data pact.

The breakthrough phone call came in the middle-of-the-night last Tuesday. On the line: John Kerry, the U.S. secretary of state, and Frans Timmermans, the first vice-president of the European Commission.

Negotiations were at a stalemate and running out of time. Officials from the European Union and America could not break through a couple roadblocks to forge an agreement to give legal cover for companies to transfer data across the Atlantic. The official January 31 deadline had already passed.

To understand how the deal came together, POLITICO spoke with 10 negotiators and officials on both sides. All requested anonymity due to the sensitive nature of the negotiations.

Hours before that call, Věra Jourová, the EU’s commissioner for justice, consumer protection and gender equality, faced a frosty reception from Parliament’s Civil Liberties, Justice and Home Affairs Committee in Strasbourg. Jourová had come to brief them on the progress of talks, but in truth there was little.

Jourová left the meeting around 9 p.m. Soon after, she was on the phone with her American counterpart in the talks, Penny Pritzker, the U.S. secretary of commerce.

The two women, both tough negotiators, had spoken frequently in the previous month. But Pritzker couldn’t offer Jourová the assurances she needed to sign off on a new pact.

Click Here: Maori All Blacks Store

Two obstacles remained: How would the U.S. guarantee that complaints from Europeans would be investigated? How would the Commission ensure data would not be intercepted indiscriminately as it traveled across the Atlantic?

After Jourová and Pritzker hung up, Kerry and Timmermans were on the phone to each other. It was past midnight in Strasbourg. The men spoke at length about the Americans’ offer to appoint an ombudsman in Kerry’s department to oversee how security authorities accessed Europeans’ data.

The idea for an ombudsman had been floated earlier in the month, and the reception on the EU side was lukewarm. Europeans wanted the position to be independent and have real power. And they wanted it in writing. Kerry agreed.

Where it all began

The safe harbor agreement had been teetering on the precipice for years.

The clock started ticking in June 2013, when Edward Snowden revealed the extent of the U.S. National Security Agency’s surveillance.

In November that year, the Commission issued a statement condemning the NSA surveillance and made 13 recommendations.

“Massive spying on our citizens, companies and leaders is unacceptable,” said Viviane Reding, the European commissioner for justice at the time. Cecilia Malmström, then commissioner for home affairs, added: ”European citizens’ trust has been shaken by the Snowden case, and serious concerns still remain following the allegations of widespread access by U.S. intelligence agencies to personal data.”

The old safe harbor framework, bruised though it was, would remain until a new arrangement could be negotiated, the Commission decided.

Enter Max Schrems.

Then a law student in Austria, Schrems was on a privacy crusade. Starting in 2011, he had filed complaint after complaint about Facebook’s handling of data. The Irish Data Protection commissioner was in charge because Facebook’s European headquarters are in Dublin. Schrems complained about a range of issues, including that Facebook didn’t remove “pokes” even after the user deleted them, and that users could be added to groups without their consent.

In the wake of Snowden’s revelations, Schrems alleged that Facebook Ireland was forwarding data to the NSA, via the company’s California headquarters. Ireland’s data protection commissioner at the time, Billy Hawkes, refused to investigate. He said the safe harbor framework provided sufficient cover for Facebook’s data transfers. Schrems continued to fight and in September 2014 ended up in the European Court of Justice. The waiting game began.

A year later, Yves Bot, the advocate general at the European Court of Justice (ECJ), recommended killing the safe harbor agreement. Two weeks later, on October 6, the ECJ concurred. Safe harbor was dead.

The shockwaves reverberated through boardrooms and meeting rooms from Silicon Valley to the Berlaymont. Thousands of companies relied on the safe harbor accord to transfer everything from photos to bank details.

What happened next

The data protection authorities from the EU member countries belong to an oddly named group, the Article 29 Working Party. They met in Brussels October 15, 2015.

It was a cold, wet day. A half-hour before the meeting started, Helen Dixon, Ireland’s data protection commissioner, took a seat in the first-floor café of the Commission’s Albert Borschette Congress Center.

She would be in the spotlight. A year into the job, Dixon was keen to show her counterparts that she ran a tighter ship than her predecessor.

With a much bigger budget, her staff had almost doubled. They had new, swanky offices in Dublin, in addition to their old premises above a supermarket in Portarlington, an hour southwest of Dublin.

“You should try to speak towards the beginning,” one of her advisers suggested. “Get some clear air.”

But that would prove difficult. The Germans, hypersensitive to state surveillance, were quick to command the floor. And there were lots of them, with multiple members of Germany’s 16 regional data protection authorities in the room.

The Schleswig-Holstein authority had broken ranks the week before. They said “model clauses,” one of the alternatives to safe harbor, were also invalid for transatlantic data transfers.

The meeting finished with no clear consensus. Early the next evening, Isabelle Falque-Pierrotin, the French chair of the Article 29 group, managed to get everyone on board and released a statement outlining the group’s position.

The DPAs agreed to a three-month grace period. If the Commission didn’t replace safe harbor by January 31, they would take “all necessary and appropriate actions, which may include coordinated enforcement actions.”

Under siege

By the end of October, the U.S. felt under siege from its transatlantic ally.

The death knell for safe harbor followed a series of high-profile tax and antitrust investigations into U.S. companies launched by the EU’s competition commissioner.

Jourová, a first-time commissioner, believed the bruised relationship was grounded in a misunderstanding of the way Europe’s top court worked. It was time to pay a visit. She touched down in Washington, D.C., on November 12, along with Dimitris Avramopoulos, the commissioner for migration, home affairs and citizenship.

The next day, Paris was hit by coordinated terror attacks. The carnage changed the tenor of the debate.

The attacks inevitably led some to push for a greater focus on national security. Would Europeans still care as strongly about protecting their privacy now? Would the Americans use the opportunity to point out the NSA’s role in preventing further such attacks on European, as well as American, soil?

The text messages and emails from Brussels started coming almost immediately. Come back, they said, you can’t try to negotiate for privacy and restrictions to surveillance now. Jourová decided to stick around. The talks, interrupted, resumed.

EU sources say the Americans didn’t use the Paris attacks to push the Europeans to back down on safe harbor.

And by all accounts the EU’s line also remained firm: Terrorists or no, Europeans’ right to privacy and the European Court of Justice’s ruling weren’t going anywhere.

Judicial redress mess

The negotiators were exhausted. Christmas and New Year’s Eve came and went. The deadline loomed and a deal seemed no closer. The late-night pizza dinners were becoming a bore, as were the Berlaymont’s automatic lights, which periodically plunged the dozen or so officials into darkness.

The sides were going around in circles, blaming each other for the impasse.

Meetings intensified. Julie Brill, the U.S. federal trade commissioner, seemed to make Brussels her second home, intent on spreading the word the U.S. would prioritize European privacy concerns.

But the FTC receives 2 million complaints a year and couldn’t promise to investigate each one as EU’s data protection authorities do.

On surveillance, Brill and the other American envoys insisted the NSA had not been as invasive as Snowden’s revelations initially made it seem, and that in any case, there were new rules to curb the agency’s powers.

Europeans acknowledged the U.S. had made efforts. But was it enough?

And then there was the Judicial Redress Act.

For months, Europe’s top policymakers had been waiting for the U.S. Senate to pass a bill that would allow EU citizens to file civil actions under the U.S. Privacy Act to redress unlawful data disclosures. The House of Representatives voted in favor in October, but the bill languished in the Senate Judiciary Committee.

For the Commission, the proposed law was crucial. EU negotiators saw its passage as a vital sign of goodwill. With just weeks left before the January 31 deadline, pressure increased.

It seemed like the Europeans held all aces. Ultimately, safe harbor 2.0 was a unilateral decision by the Commission. For once, the U.S. had to toe the line.

Until someone broke ranks.

Andrea Glorioso, counselor for the digital economy with the EU’s delegation to the U.S., appeared at the State of the Net conference in Washington, and said the Judicial Redress Act was a nice-to-have, but not a must-have.

“As far as I’m aware, in our negotiations we’ve never subjected the conclusion of the safe harbor agreement to [the passage of] the Judicial Redress Act,” he said.

Jourová’s team was furious. Glorioso, while right from a technical standpoint, had clearly misunderstood the reasons the Commission had been pushing so hard for the Act to pass. His statements, picked up on by the U.S. and EU press, went off the script. Commission staffers phoned journalists to refute Glorioso’s claims.

The damage had been done.

The Judicial Redress Act finally passed the Judiciary Committee on January 28. But an amendment by Senator John Cornyn made the privacy protections in the bill conditional on the Europeans signing on to a new safe harbor deal.

Not the goodwill gesture the Commission was waiting for.

Star Wars inspiration

Jourová was keen to show the new arrangement was radically different to the old. So what to call it?

Jourová had been canvassing opinion for weeks. The suggestions were always “transatlantic” this or “data protection” that. The commissioner found them boring — she wanted something catchy, that symbolized the added protections she felt the new framework provided.

A week before the deal was finally done, someone (it’s not clear who), suggested “privacy shield.” It was fun, Jourová said, Star Wars-y. It sounded impenetrable, strong.

Jourová decided to keep the new name quiet. It wasn’t until the afternoon after the Kerry-Timmermans phone call that sealed the deal that Jourová formally shared the name with her American colleagues.

The lawyers and civil servants had spent February 2 ironing out the technical details of the new framework.

Jourová was on the phone to Priztker on and off all day. At 3:30 p.m., just after the College of Commissioners meeting, Jourová called again. The College had signed off and Jourová said, “I want to call it the EU-U.S. privacy shield.”

Pritzker needed to check with her people. Half an hour later, just before 4 p.m., she rang back.

At 4:30 p.m. on Tuesday, February 2, the deal was announced in a triumphant press conference in Strasbourg.

But the issue is far from settled.

The Article 29 Working Party met in Brussels on February 2 and 3 to discuss their next steps. With nothing on paper to look at, the DPAs adopted a wait-and-see approach. The Commission promised to deliver the full text of the agreement by the end of February. In late March, the authorities will meet again to decide if the shield is strong enough.

Nevertheless, it’s only a matter of time before the privacy shield must meet the test of the ECJ. Will it hold?

The European Commission and its American partners say it can withstand the challenge. Others, including key MEPs and Max Schrems himself, are not so sure.

A version of this article was first published on POLITICO Pro.