US must make next move on new Safe Harbour deal, says EC
6 November 2015 | 0
The European Union put the onus firmly on the US to make the next move in negotiating a replacement for the now-defunct Safe Harbour Agreement on privacy protection for transatlantic personal data transfers.
“We need a new transatlantic framework for data transfers,” said Vĕra Jourová, the European Commissioner for Justice and Consumers, emphasising the urgency of the situation. However, she said at a news conference in Brussels on Friday (06/11/2015), “It is now for the US to come back with their answers.”
EU law requires that companies guarantee the same privacy protection for the personal information of EU citizens that they hold, wherever in the world they process it.
The Safe Harbour Agreement was a simple mechanism by which companies could offer that guarantee. Reached between the European Commission and the US in 2000, it allowed US companies to certify that they followed EU privacy rules – but it was struck down by the Court of Justice of the EU on Oct. 6 for not providing sufficient legal safeguards.
On Friday, the Commission published a new guide for businesses looking for ways to legally export personal information to the US, post Safe Harbor. However, it does little more than repeat the advice the Commission gave on the day of the court’s ruling.
“Until such time as the renewed transatlantic framework is in place, companies need to rely on the alternative transfer tools available,” the guide says.
Jourová recognised that won’t always be easy: “Companies face some limitations when relying on alternative tools.”
Safe Harbor was simple for European companies to implement, as all they had to do was contract with a US data processor registered under the agreement. It was the responsibility of the US company to ensure compliance.
The alternative mechanisms provided for in the EU’s 1995 Data Protection Directive – standard contract clauses, binding corporate rules, or obtaining the informed consent of the person whose data is transferred – put the responsibility squarely on the company at the origin of the transfer.
“Whatever they choose, they must be able to prove that the protection is in place, that they guarantee the protection of data transferred to the US This is especially a challenge for SMEs,” Jourová said.
Her colleague Andrus Ansip, European Commissioner for the Digital Single Market, pointed out that the use of these tools is nothing new: Many companies began complying with the directive’s requirements in the five years before Safe Harbour was introduced.
“Many of those data flows are based on contract clauses,” he said.
Whether a new Safe Harbour agreement will resolve the questions raised by the court is open to doubt. Some critics have said that, without wholesale reform of US law, it just isn’t possible to provide the guarantees EU law requires. And while the majority of the EU’s data protection authorities are still studying whether the alternative tools are sufficient, German authorities are so concerned about them that have suspended all new registrations for data exports.
Ansip gave a nod to some of those concerns: “It’s up to lawyers to say exactly what will be needed. A legally binding administrative decision will be needed to make this Safe Harbour 2.0 bulletproof,” he said.
In other words, Safe Harbor’s successor isn’t safe until it too has been tested by the EU’s highest court.
That is the challenge, then, for the US officials that Jourová is waiting to hear from. Next week, she said, she will travel to Washington, “to discuss the issue at the highest political level.”
Some companies have already moved to address the issue by reassuring users of their cloud services that if they desire, European data can remain in Europe. Infor has made such a confirmation, and Oracle issuing a statement too:
“Oracle offers Cloud customers the ability to store their data in Europe so that it is not sent for storage elsewhere. Certain Cloud operations may require access from engineering resources in other regions. Those resources are subject to EU data transfer requirements without reliance on the Safe Harbour Framework.”
IDG News Service and TechCentral Reporters