Nmedia - Fotolia

EU data protection regulators set 31 January 2016 deadline for replacing Safe Harbour

Article 29 Working Party gives EU and US authorities until the end of January to establish an alternative data-sharing agreement

The deadline for replacing the Safe Harbour data-sharing agreement has been set for 31 January 2016, with the European Union (EU) and the US authorities risking enforcement action if they miss it.

The Article 29 Working Party, which features representatives from all 28 European data protection regulators, confirmed the deadline in a guidance document published on 16 October 2015, setting out its views on Safe Harbour being scrapped.

“If by the end of January 2016 no appropriate solution is found with US authorities, and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include co-ordinated enforcement actions,” the document states.

EU member states are further instructed to start working with the US authorities to establish a replacement for Safe Harbour, after the European Court of Justice (ECJ) ruled the data-sharing framework to be invalid on 6 October 2015.

“The Article 29 Working Party is urgently calling on the member states and the European institutions to open discussions with US authorities to find political, legal and technical solutions enabling data transfers to the territory of the US that respect fundamental rights,” the document continues.

“The current negotiations around a new Safe Harbour could be part of the solution. In any case, these should always be assisted by clear and binding mechanisms and include – at least – obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights.”

It then goes on to restate that anyone still using Safe Harbour to transfer EU data back to the US is now acting unlawfully.

Safe Harbour alternatives

In the wake of the ECJ’s ruling, legal experts have been quick to point out that US firms which previously relied on Safe Harbour should consider using standard contractual clauses and binding corporate rules instead.

The Article 29 Working Party said it has no issue with firms doing this, but cautioned: “This will not prevent data protection authorities [from investigating] particular cases, for instance on the basis of complaints, and to exercise their powers to protect individuals.

“In the context of the judgement, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis,” the document concludes.

Thomas Boué, head of policy Europe, Middle-East and Africa at the anti-piracy body the Business Software Alliance (BSA), expressed disappointment at the lack of guidance the Article 29 Working Party’s response offers, but commended the organisation on leading the call to arms. 

“At a time when companies are seeking much needed clarity, we are beyond disappointed that the Article 29 Working Party failed to embrace the opportunity to provide this necessary clarity to the nearly 5,000 data processors and the hundreds of millions of customers who rely on their services in the EU and the US,” said Boué.

“The party’s call to action at all levels to seek solutions is a necessary and urgently needed step. We look forward to our continued work with US and European officials on these efforts,” he added.

Read more about Safe Harbour

Read more on Data protection regulations and compliance