Don’t expect new EU-US data transfer deal anytime soon, Reynders says

The EU's Justice Commissioner Didier Reynders tolds MEPs on Thursday that there would be no quick fix to finding a new EU-US data transfer deal, following the SchremsII case.

The EU's Justice Commissioner Didier Reynders tolds MEPs on Thursday that there would be no quick fix to finding a new EU-US data transfer deal, following the SchremsII case. [EPA-EFE/STEPHANIE LECOCQ]

There will be “no quick fix” on a revised data transfer deal between the EU and the US following a July ruling by EU judges to strike down the Privacy Shield agreement, the EU’s Justice Commissioner Didier Reynders has told MEPs.

A ruling by the European Court of Justice on July 16 found that the US surveillance regime does not allow for a sufficient degree of protection for European data, putting it at a risk that would violate rights afforded to citizens under the EU’s general data protection regulation (GDPR).

In terms of forging a new agreement, which would be the third iteration of an EU-US data transfer accord following Safe Harbour and Privacy Shield – the former which had also been annulled by the courts in 2015 – the EU’s Reynders has recently been in discussion with US counterparts.

However, the EU’s Justice Commissioner told MEPs on Thursday (3 September), that they shouldn’t hold their breath in anticipation of a new agreement appearing anytime soon.

“There will be no quick fix,” Reynders said. “What we need are sustainable solutions that deliver legal certainty, in full compliance with the judgment of the court.”

“That is also the message that I have clearly passed to my US counterparts.”

The EU’s justice chief added said that the political nature of the issue and the fact that the US election is just around the corner would also hamper talks between US and EU officials, as would the EU’s bid to explore the possibility of encouraging “legislative changes” to US surveillance law.

Section 702 of the US Foreign Intelligence Surveillance Act (FISA) permits the National Security Agency to collect foreign intelligence belonging to non-Americans located outside the US, and has long been of concern to privacy activists in Europe.

EU-US data transfers at critical risk as ECJ invalidates Privacy Shield

The EU-US Privacy Shield agreement that attempts to guarantee the secure transmission of EU data to the United States, has been declared invalid by the European Court of Justice, in a ruling that will provoke major disruption to transatlantic data flows.

Standard Contractual Clauses

In July, the courts found that individual agreements that facilitate the global transmission of EU data, known as Standard Contractual Clauses (SCCs), were theoretically valid but that the risks involved with transferring data to some foreign countries should be taken into account by national data protection authorities.

“Unless there is a valid Commission adequacy decision, those competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with,” the court had said.

As a result of the court’s decision, Reynders noted on Thursday that the Commission is seeking to “modernise” Standard Contractual Clauses, and would come forth with more a more concrete plan before the end of the year.

“It’s very important to say that it’s not just possible to use SCCs without any changes,” he said, adding that the Commission would work with data protection authorities to come up with “real modernisations” to SCCs “before the end of the year.”

Schrems has worries

For his part, Austrian Privacy Max Schrems, who has led the change against data abuses in the US, warned that some American firms were simply looking to “ignore” the July ruling of the EU courts.

“What’s especially concerning in this context is these statements from US industry,” he told MEPs, saying he has recently been conducting talks with industry representatives. “I was in a couple of calls over the last couple of weeks, all of them were confidential. The feedback is that [some US firms are] simply going to ignore what the Court of Justice has said, and take the view that the SCCs are fine.”

Schrems also noted that his privacy rights group, NOYB, recently received a letter from Facebook, “that says it will continue transferring all the data” of EU Facebook users between the bloc and the US.

Meanwhile, the head of the European Data Protection Board Andrea Jelinek, who also attended Thursday’s hearing, noted that a specialised ‘task force’ had also recently been established within her organisation in order to assist the Commission in the ongoing efforts to forge new mechanisms that would permit ongoing data transfers between the EU and the US.

(Edited by Frédéric Simon)

Subscribe to our newsletters