No agreement as deadline to replace Safe Harbour expires
Two days from their deadline, US and European Union negotiators still have no replacement for the transatlantic data-transfer agreement overturned last year by the EU’s top court.
The original Safe Harbour agreement enabled companies to store and process EU citizens’ personal information in the US in compliance with strict European data protection laws, and its invalidation by the Court of Justice of the European Union last October in a case relating to Facebook’s activities has called into question the operations of companies large and small.
EU negotiators appear to be pushing for further concessions from their US counterparts as they work on Safe Harbour’s replacement, and look set to miss 31 January deadline imposed by Europe’s privacy regulators rather than compromise on their principles.
“Intense negotiations are ongoing. They are constructive but there will not be agreement for any price,” spokesman Christian Wigand said Friday at the Commission’s daily news briefing. “We need an agreement that lives up to the benchmarks set by the Court of Justice.”
Among the court’s requirements was a right to legal redress for EU citizens whose personal data is inappropriately handled by US law enforcers, intelligence agencies and other public bodies after it is transferred to the US.
The continued absence of such a right from US law is one of the sticking points for European lawmakers. The US House of Representatives has already approved a text that would satisfy European negotiations, the Judicial Redress Act, but the bill has not yet received Senate approval. On Thursday night the Senate Judiciary Committee gave it their assent, but it has not yet been scheduled for a full vote.
The Safe Harbour data transfer agreement provided companies with a way to collect the personal information of Europeans and process it legally in the US.
European Commission representatives had already begun calling for changes to the agreement in 2013, when Edward Snowden’s revelations about the US National Security Agency’s activities made it clear that the agreement did not afford data held in the US the same protections as it received in Europe, as required by the 1995 Data Protection Directive.
Nevertheless, the invalidation of the agreement by the Court of Justice of the European Union on 6 October came as something of a shock for European businesses. The court had been asked to rule on a much narrower question in a case brought against Ireland’s Data Protection Commissioner by Austrian Max Schrems (pictured) over the commissioner’s handling of his complaint against Facebook.
Schrems, a Facebook user, had asked the commissioner to rule that, in the light of the Snowden revelations, Facebook’s reliance on the Safe Harbour agreement to process his personal information in the US did not provide the privacy protections required by the 1995 directive.
Facebook has not changed its practices since October, saying that in any case it doesn’t rely on the Safe Harbour agreement to justify the legality of its activities.
The directive offers companies other tools to guarantee customers’ privacy when transferring their data to the US, including model contract terms for use in their dealings with US partners, and binding corporate rules for transfers between subsidiaries of a multinational.
However, there are also questions about whether those tools meet the standards set by the Court of Justice. Europe’s data protection authorities will meet on 2 February to finalise a report on the impact of the decision on the other data transfer tools, which they plan to present on Wednesday 3 February.
Peter Sayer, IDG News Service