Negotiators from the U.S. and European Union have failed to come up with a new agreement to keep transatlantic data transfers legal, despite intensive talks over the weekend to replace the jettisoned “Safe Harbor” deal.
That means the end-of-January deadline for replacing Safe Harbor has now passed, and a lot of companies may soon find themselves in hot water for transferring people’s personal information from the EU to data-processing operations in the U.S.
This would apply to U.S. tech firms trying to serve consumers and businesses in the EU, multinationals trying to send basic details on EU employees back to a finance department in the U.S., and even some European tech companies that use a U.S.-based service as a component of their EU offering.
Here’s what you need to know.
How did we get here?
Safe Harbor was a special deal for the benefit of U.S. companies. The European Commission (the EU’s executive body) normally must declare that a country outside the bloc has data protection laws equivalent to those in the EU before EU citizens’ personal data can be transferred there.
That was not possible with the U.S. because it’s not true—in the U.S., national security concerns can relatively easily overrule privacy rights. So back in 2000, the commission came up with a workaround scheme that let U.S. companies self-certify that they themselves adhere to EU-grade privacy standards, even if their country does not.
Fast-forward to last year, and the European Court of Justice (ECJ) struck down Safe Harbor, saying the commission never should have set it up in the first place. The ECJ, the EU’s highest court, was particularly unimpressed with the behavior of the U.S. security services through things like the PRISM program, as revealed by NSA whistleblower Edward Snowden.
Europe’s data protection authorities said they would wait until the start of February to start cracking down on companies that still rely on Safe Harbor as the legal basis for their EU-U.S. transfers. They will meet Tuesday and Wednesday to decide what to do next, so technically the commission and the U.S. negotiators have until then to pull something out of the hat.
“Work is still ongoing,” commission spokesman Christian Wigand said by email. “We are not there yet, but the Commission is working day and night on achieving a deal.”
Any chance of last-minute success?
Deeply unlikely, and frankly this has always been apparent. Using the word “negotiators” is cheating slightly—negotiations imply give-and-take, and from the European perspective, there is no potential “give.”
Any new arrangement would have to pass muster with the ECJ, following the reasoning set out by the court in October. That ruling was based on European fundamental rights, and asking to set them aside is a bit like asking American companies to forget about the U.S. Constitution. It simply can’t be done on a long-term basis—no matter how much EU politicians want to smooth the way for the transatlantic data economy.
Get Data Sheet, Fortune’s technology newsletter.
Two of the biggest sticking points in the talks have been excessive surveillance on the part of the U.S. authorities, and the inability for EU citizens to complain to U.S. courts or independent bodies about the misuse of their personal data in that country (and yes, Americans have that right in the EU).
If these issues can’t be solved, there can’t be a deal. The data protection authorities are independent by law, and politics doesn’t come into this.
So could the U.S. give what’s needed?
Recent developments suggest not. As it happens, the U.S. Senate is currently considering a bill called the Judicial Redress Act, which would allow Europeans to complain about the misuse of their data by U.S. federal agencies—not quite the same territory as that covered by Safe Harbor, but close enough to make the bill very relevant to the post-Safe Harbor talks.
Last week, the Senate’s judiciary committee passed the bill with last-minute amendments saying policies regarding data transfers for commercial purposes must not “materially impede the national security interests of the United States.”
Not only was the committee confused (the bill is about law-enforcement cooperation, not commercial transfers), but the unexpected change sent the worst possible message to Europe: National security must still trump privacy considerations.
Meanwhile, the U.S. Federal Trade Commission (FTC) says it is open to handling Europeans’ complaints, but past experience suggests it is not well-resourced enough to do so to the degree that’s needed.
For more on big data, watch:
According to Wigand, the commission’s top brass are “confident that a deal is possible if all sides make further progress.” Given that the commission is one of those two sides, that means the U.S. has not gone far enough.
What can U.S. companies do now?
As things stand, there are few options for the thousands of companies that can no longer rely on Safe Harbor, and none of them are particularly palatable.
The two main alternative legal mechanisms are binding corporate rules (BCRs) and model clauses. BCRs are for multinationals wanting to transfer data internally, while model clauses are for contracts between corporations. BCRs are particularly awkward, as they take ages to set up (usually around 18 months) and, in some countries such as Germany, they require the approval of the local data protection authorities. In the wake of the ECJ’s ruling last year, the German watchdogs froze all approvals for new BCRs “for now.”
The biggest problem is that both BCRs and model clauses could have similar legal vulnerabilities to Safe Harbor. If EU citizens’ fundamental rights aren’t properly respected in the U.S., these mechanisms could also be struck down in court for failing to protect Europeans’ data.
Another option is for companies to get users’ explicit consent for data transfers with wording along the lines of, “If you are happy with the NSA potentially having access to your data, click here.” Apart from being a suicidal PR move, this would also probably be illegal back home in the U.S., thanks to gagging orders.
That leaves setting up functionally separate operations in the EU, which is also a nightmare proposition. Not only would absolutely no EU personal data be able to cross into the U.S. for a moment, but the U.S. Department of Justice thinks it has jurisdiction over the data stored by U.S. firms in other countries.
Whatever happens now, it won’t be pleasant for U.S. tech firms trying to service the half-billion people in the European Union.