The European Commission wants to have a new data sharing arrangement with the US within the next three months.
“I believe Europe and the United States have all tools at hand to achieve this in three months,” Commission Vice President Andrus Ansip said today (6 November), emphasising that “it needs a bulletproof solution.”
Commission officials have rushed to step up negotiations with their US counterparts over a new deal to replace the Safe Harbour agreement, which the European Court of Justice knocked down on 6 October. Safe Harbour allowed the over 4,000 companies that signed onto it to transfer data legally from the EU to the US.
EU Justice Minister Vera Jourova is meeting with US officials over a new agreement during a trip to Washington next week.
Jourova said she would also meet with US Senators who will vote on the Judicial Redress Act that could give EU citizens’ the same legal rights as Americans if their data is mishandled.
After the ECJ verdict, the Commission scrambled to assure European businesses that they could still transfer data to the US using other legal means, like standard contractual clauses or binding corporate rules. Members of the ‘Article 29’ working party, the commission of national data protection authorities from EU member states, vowed at a plenary meeting last month to review those tools. The national authorities are meeting again in January.
The Commission published a set of guidelines on those measures today, which Ansip heralded as “providing clarity to our companies” on how to continue transferring data to the US.
Existing alternatives to Safe Harbour are still valid, according to the Commission. As a last resort, companies could transfer personal data to the US if they have a person’s clear consent about the data transfer.
Guido Lobrano, deputy director for legal affairs at trade association BusinessEurope, said there were “no surprises” in the guidelines.
“But there is also no coordination at European level and that’s what we asked for,” Lobrano said.
The ECJ verdict gave national data protection supervisors new authority to decide on privacy cases. The Commission is pushing for the national regulators to agree on how they’ll deal with data transfers, but its powers to influence the independent privacy officials are limited.
Last week, data protection authorities from Germany’s Länder announced they would no longer allow data to be transferred to the US under standard contractual clauses or binding corporate rules.
Many companies that bemoaned damage to business after the ECJ verdict said a new blanket agreement to replace Safe Harbour is the only way to restore the scale of data transfers that were allowed under the deal. The other tools, companies argue, are more complicated, expensive and would result in companies sealing several piecemeal agreements for their data transfers.
According to Lobrano, the Commission’s plan to wrap up those talks within three months are too slow.
“We think they should be a bit more ambitious. They should aim at having an agreement before Christmas so they have a new framework in place by the beginning of 2016,” he said.
Officials from the Commission’s DG Justice are meeting on Monday (9 November) with BusinessEurope and other industry associations ahead of Jourova’s trip to Washington.
According to today’s guidelines, the Commission will start periodic reviews of the agreements it still has in place with 11 other countries—including Canada, Switzerland and Israel—that call their privacy laws up to EU standards. A change to those agreements could affect whether data can legally be transferred from the EU to those countries as well.
Commission officials argue that companies started investing in data storage centres in the EU even before the ECJ verdict. Following the German data protection authorities’ statement last week, business groups fired back at Hamburg’s privacy supervisor for suggesting companies consider storing Europeans’ data within the EU.