EU Aims for January Agreement on U.S. Data Transfers
The European Union (EU) is aiming to reach a new agreement with the U.S. regarding transatlantic data transfers in the next three months. The current pact, known as the Safe Harbor agreement, had been in place for 15 years and regulates the transfer of data about European users to servers in the U.S.
But the agreement was invalidated on October 6, when the European Court of Justice ruled that the existing framework failed to adequately protect the privacy rights of European citizens. The EU and the U.S. had already been working toward an agreement prior to the court’s opinion, but the EU said today that it will redouble its efforts to reach a new deal in light of the ruling.
Stepping Up Negotiations
The decision has thrown many European and multinational companies into legal limbo as they rush to comply with the court’s decision. “The objective of the commission is to conclude these discussions within three months,” the European Commission, the executive body of the EU, said in a statement today. “In the meantime, companies need to comply with the ruling and rely on alternative transfer tools where available.”
The commission also issued new guidance on what companies can do to comply with the law until a new Safe Harbor agreement can be reached. Data transfers can no longer be based on the invalidated Safe Harbor decision, according to the new guidance. Instead, standard contractual clauses and binding corporate rules can be used as the basis for data transfers.
The EU also noted that if an appropriate solution isn’t found by the end of January 2016, the onus will fall on the digital protection authorities of the EU’s individual member states to take the necessary actions and coordinate with law enforcement.
“Citizens need robust safeguards to ensure their fundamental rights are protected,” said European Commissioner Vera Jourová. “Our aim today is to explain under which conditions businesses can lawfully transfer data in this interim period.” Jourová said she had also stepped up talks with the U.S. to expedite a new agreement, with a new round of talks set to begin in Washington next week.
Big Impact on Big Business
Jourová said she met with business and industry representatives last month who asked for a clear and uniform interpretation of the court’s ruling, as well as more clarity on the instruments they could use to transfer data.
October’s ruling sent shockwaves throughout the business community, as the decision made it illegal for companies to transfer personal data on European users to the U.S. More than 4,000 companies are affected by the decision and are now scrambling to comply.
The Article 29 Working Party, an independent advisory body to the European Commission on data protection and privacy, has responded positively to the decision. The advisory group called the National Security Agency's surveillance program incompatible with EU laws and argued that existing data transfer tools are inadequate. Furthermore, it has said the U.S. should not be considered a safe destination for data transfers, citing the power of the U.S. government to access citizen data.
Image credit: iStock/Artist's concept.