The European Commission wants to have a new data sharing arrangement with the US within the next three months.
“I believe Europe and the United States have all tools at hand to achieve this in three months,” Commission Vice President Andrus Ansip said today (6 November), emphasising that “it needs a bulletproof solution.”
Commission officials have rushed to step up negotiations with their US counterparts over a new deal to replace the Safe Harbour agreement, which the European Court of Justice knocked down on 6 October. Safe Harbour allowed the over 4,000 companies that signed onto it to transfer data legally from the EU to the US.
EU Justice Minister Vera Jourova is meeting with US officials over a new agreement during a trip to Washington next week.
Jourova said she would also meet with US Senators who will vote on the Judicial Redress Act that could give EU citizens’ the same legal rights as Americans if their data is mishandled.
After the ECJ verdict, the Commission scrambled to assure European businesses that they could still transfer data to the US using other legal means, like standard contractual clauses or binding corporate rules. Members of the ‘Article 29’ working party, the commission of national data protection authorities from EU member states, vowed at a plenary meeting last month to review those tools. The national authorities are meeting again in January.
The Commission published a set of guidelines on those measures today, which Ansip heralded as “providing clarity to our companies” on how to continue transferring data to the US.
Existing alternatives to Safe Harbour are still valid, according to the Commission. As a last resort, companies could transfer personal data to the US if they have a person’s clear consent about the data transfer.
Guido Lobrano, deputy director for legal affairs at trade association BusinessEurope, said there were “no surprises” in the guidelines.
“But there is also no coordination at European level and that’s what we asked for,” Lobrano said.
The ECJ verdict gave national data protection supervisors new authority to decide on privacy cases. The Commission is pushing for the national regulators to agree on how they’ll deal with data transfers, but its powers to influence the independent privacy officials are limited.
Last week, data protection authorities from Germany’s Länder announced they would no longer allow data to be transferred to the US under standard contractual clauses or binding corporate rules.
Many companies that bemoaned damage to business after the ECJ verdict said a new blanket agreement to replace Safe Harbour is the only way to restore the scale of data transfers that were allowed under the deal. The other tools, companies argue, are more complicated, expensive and would result in companies sealing several piecemeal agreements for their data transfers.
According to Lobrano, the Commission’s plan to wrap up those talks within three months are too slow.
“We think they should be a bit more ambitious. They should aim at having an agreement before Christmas so they have a new framework in place by the beginning of 2016,” he said.
Officials from the Commission’s DG Justice are meeting on Monday (9 November) with BusinessEurope and other industry associations ahead of Jourova’s trip to Washington.
According to today’s guidelines, the Commission will start periodic reviews of the agreements it still has in place with 11 other countries—including Canada, Switzerland and Israel—that call their privacy laws up to EU standards. A change to those agreements could affect whether data can legally be transferred from the EU to those countries as well.
Commission officials argue that companies started investing in data storage centres in the EU even before the ECJ verdict. Following the German data protection authorities’ statement last week, business groups fired back at Hamburg’s privacy supervisor for suggesting companies consider storing Europeans’ data within the EU.
German MEP Axel Voss (EPP), shadow rapporteur on the data protection regulation: "I appreciate the commitment made by the Commission to conclude negotiations with the US within three months. A new adequacy decision including a sound legal framework for the transfer of data to the US remains a key priority and provides the best solution for our companies and a less burdensome data transfer mechanism. However, the Standard Contractual Clauses and the Binding Corporate Rules are too general and they are not a real alternative solution for the immediate transfer of data, because these procedures are too time consuming. I regret that the Commission has not evaluated any encryption solutions for the transfer of data from the EU to the US."
John Higgins, director general of trade association DigitalEurope: “As the European Commission correctly noted, businesses urgently need a revised transatlantic data transfer framework that is simpler, less burdensome and less costly than alternative transfer mechanisms. As such we once more reiterate the urgent need for the EU and US to conclude negotiations on a new intergovernmental agreement prior to the 31 January 2016 deadline as set out by the Article 29 Working Party.”
Existing European rules on data protection were adopted in 1995, when the internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.
European politicians reacted angrily to the news and called for stricter measures to ensure privacy.