Europe has delivered a definitive rebuke of U.S. surveillance powers. Now comes the hard part: deciding how far the bloc will go to protect Europeans data.

On Thursday, the Court of Justice of the European Union struck down Privacy Shield, a transatlantic data protection deal that underpinned billions of euros in digital trade, due to concerns about U.S. snooping.

“It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to play a major role on the EU market,” said Max Schrems, the Austrian privacy activist whose legal complaints have led to the collapse of not one but two transatlantic data protection deals.

Yet the U.S., at least for now, appears unwilling to reform spying powers that have plagued transatlantic ties ever since NSA whistleblower Edward Snowden revealed wholesale spying back in 2013.

Speaking to reporters on Thursday, a senior U.S. official said it was neither “advisable nor possible” to consider an overhaul of surveillance powers in the short term.

Neither Brussels nor Washington seems willing to contemplate the nuclear option: forcing companies to keep data on Europeans in the EU.

“The European Union must not give the U.S. standards it does not apply to other countries that have no concern for protecting consumer data,” said influential U.S. lawmakers Greg Walden and Cathy McMorris Rodgers in a joint statement, calling the decision a “significant setback” to the safety of both Americans and Europeans.

That leaves the question of what to do about U.S. data transfers squarely on Europes doorstep. In the coming weeks, the European Commission will assess its options, including coming up with a new transatlantic deal to replace the two failed ones that came before it.

Neither Brussels nor Washington seems willing to contemplate the nuclear option: forcing companies to keep data on Europeans in the EU — although EU regulators seem keener on the idea.

Yet any deal that fails to address deep concerns about surveillance will be seen as a capitulation of the highest order by Europes privacy hawks, who have long called the Privacy Shield a farce.

In what amounts to a lifeline to businesses, the EUs top court said they could still use a legal tool to send data overseas. But it specified that this would only work if the destination country had acceptable limits on spying — which does not appear to be the case for the United States.

Grace period?

So what happens now? Europes data protection agencies will have to determine, in the coming days and weeks, what to do about so-called standard contractual clauses (SCCs) and how to keep data flowing across the Atlantic. So far, the mood is tense.

In a statement on Thursday, Hamburg data protection chief Johannes Caspar warned that SCCs — the legal tools that many companies, including Facebook, use to send data to the U.S. — now pose a problem.

“If the invalidity of the Privacy Shield is primarily due to the escalating secret service activities in the U.S., the same must also apply to the SCCs,” he said. “Uncertainty has increased. The [court] is passing the ball to the European supervisory authorities.”

Irelands Data Protection Commission, which oversees the activities of many Silicon Valley companies in Europe, struck a similar note. It called the use of SCCs “questionable” in light of the ruling, inviting other watchdogs to quickly come up with a plan.

Berlins regulator went further, calling for data to stay in Europe following the ruling.

“The times when personal data is transferred to Read More – Source

[contf] [contfnew]

politico

[contfnewc] [contfnewc]