The European Commission is reviewing the 12 data transfer agreements it has with countries outside the bloc, as part of a scrutiny process that could potentially result in the deals being axed.
A senior Commission official in charge of negotiating those data agreements said that the EU executive has been intensely analysing all 12 of the deals by asking foreign governments for written clarification on their privacy safeguards and by sending experts to visit those countries.
“We are looking at them with the objective of keeping them,” Bruno Gencarelli, the head of a unit on data protection at the Commission’s justice department, said on Wednesday (8 November).
“If possible. But I’m very positive,” he added after a pause. Gencarelli was speaking at a conference organised in Brussels by the International Association of Privacy Professionals.
“With many of them we have a very intense dialogue,” he said.
Gencarelli said the Commission is running the deals through a thorough review with the aim of keeping them from failing potential challenges in courts.
“We believe in the importance of these adequacy decisions and we want these adequacy decisions to stand the political and legal test and scrutiny,” which he said are clearly “more certain” than when the deals were inked.
The EU has sealed so-called adequacy agreements – which allow data to flow more easily between the EU and other countries only if their privacy standards are determined to be on par with Europe’s strict safeguards – with a small group of countries.
EU adequacy agreements have faced increased scrutiny over the last two years: in 2015, the European Court of Justice ruled the EU safe harbour deal with the United States to be illegal because the US did not protect Europeans from government surveillance. The Commission signed off last year on the privacy shield, a replacement arrangement to uphold billions of euros in digital trade between the EU and the US.
In addition to the controversial privacy shield deal with the US, the EU has adequacy agreements that allow companies to share data with Switzerland, Andorra, the Faroe Islands, Guernsey, Jersey, the Isle of Man, Argentina, Canada, Israel, New Zealand and Uruguay.
Next year, EU privacy standards will become even tougher when the bloc’s sweeping new data protection regulation goes into effect.
In an opening speech at Wednesday’s privacy conference, EU Justice Commissioner Vera Jourova said that more and more countries outside the EU are passing their own privacy laws.
Gencarelli told conference attendees that paves the way for adequacy agreements that allow businesses to move data seamlessly across borders. It is easier for the Commission to agree to deals with other countries that have broad privacy laws like the EU does, he said. The US, for example, has sectoral rules but does not have sweeping privacy legislation.
“If we want a solution for international transfers – long-lasting – it has to be built on convergence and on hard law convergence,” he said.
Some privacy advocates have argued that the lack of broad data protection legislation in the US should have prevented the Commission from signing off on the privacy shield agreement. The EU’s top data protection watchdog Giovanni Buttarelli told EURACTIV.com this summer that the privacy shield should be temporary – and eventually be replaced by a more secure arrangement when the US passes a tougher law to safeguard data.
The Commission’s recent push to probe its existing data sharing arrangements stems from a strategy paper it published in January, Gencarelli said. The Commission drafted a new strategy for adequacy agreements amid controversy over the sensitive issue of transferring Europeans’ data to countries outside the bloc.
The paper stated that the Commission will carry out “periodic” reviews of its adequacy decisions every four years, or sooner. Gencarelli’s comments show that the Commission has started to review the 12 existing EU agreements within ten months of publishing the new strategy.
“This was not a communication that was more or less a ‘nice-to-do’ update. It has started to produce some very concrete effects and results,” Gencarelli said, pointing to the Commission’s current efforts to hammer out a new deal with Japan.
Jourova announced this summer that discussions were advanced between the Commission and Japan to seal an adequacy agreement for data flows. She said on Wednesday that she will start talks later this month with South Korea to reach a similar deal.
Negotiations over a data arrangement with Japan are separate from the EU-Japan free trade agreement.
The Commission has come under pressure over its position on including data flows in its international trade agreements. Some privacy advocates have pushed for data transfers to be excluded from trade deals, while several EU member states want upcoming free trade agreements to guarantee that data can move freely.
After a back-and-forth between disagreeing factions within the Commission last year, the executive sought to put the discussion to rest in its strategy paper from January.
“Whereas the protection of personal data is non-negotiable in trade agreements, the EU regime on international data transfers […] provides a broad and varied toolkit to enable data flows in different situations while ensuring a high level of protection,” the communication reads.