Sergey Nivens - Fotolia
European and US lawmakers could face enforcement action after missing the deadline for replacing the Safe Harbour data-sharing agreement.
The Article 29 Working Party – a group featuring representatives from all 28 European data protection regulators – initially gave the US authorities and the European Union (EU) until 31 January to come up with a Safe Harbour alternative.
At the time of writing, the party had not passed comment on the fact the 31 January deadline has been missed, despite previously stating that failing to meet this date could result in enforcement action being taken. Meanwhile, European commissioner Věra Jourová published comments on 1 February 2016, stressing the work going on behind the scenes to establish a data-sharing regime.
“I will not hide that these talks have not been easy. It is not an easy task to build a strong bridge between two legal systems which have some major differences,” she said.
“I believe that the close partnership between Europe and the United States deserves these special efforts – on their side and on ours. We are close, but an additional effort is needed.”
She also went on to say any arrangement would need to be “fundamentally different” to what existed before, which is why lawmakers are inclined to take their time over it.
“We have underlined to our American partner that any new adequacy decision must be able to withstand a legal challenge. This is important for the standard of fundamental rights protection, but also to ensure legal certainty for business,” Jourová said.
“It cannot be a ‘one-off’ decision, like it was 16 years ago. Over the past months we have intensively worked with the US to obtain the needed commitments and clarifications to put in place a new arrangement that meets the legal requirements.”
Read more about Safe Harbour
- A mechanism for the transfer of data between the European Union (EU) and the US to replace the Safe Harbour agreement is achievable, according to an EU data protection official.
- The European Court of Justice's decision to invalidate the Safe Harbour agreement has far-reaching implications for businesses.
Plans for data ombudsman
While the comments hinted at the reasons why the EU is in no rush to push through a successor to Safe Harbour, Jourová also went on to outline the progress that has been made in this area already.
Jourová said EU negotiators are seeking written assurances that access to EU data will be limited to that deemed “necessary and proportionate”, to guard against mass surveillance taking place.
The commissioner also outlined plans to appoint a “functionally independent” ombudsman, who European citizens can turn to should they believe their personal data has been used unlawfully by US authorities.
In a similar vein, she said citizens should be able to direct any complaints they have about a company’s attitude to privacy issues directly to the organisation in question – while the ombudsman would provide access to a free-of-charge dispute-resolution service as a back-up.
“Let me also stress that European Data Protection Authorities (DPAs) must have an active role in the new arrangement. They are the guardian of the individual's right to protection of personal data under the Charter,” said Jourová.
“The DPAs must have the possibility to refer complaints – whether it is on commercial aspects or on national security – and to uphold the rights of Europeans when their data is transferred to the EU.”
Tech firms plan European datacentres
The Safe Harbour agreement had, until October 2015, been used by around 3,000 companies to transfer data belonging to European citizens to the US – including technology firms such as Facebook, Google and Microsoft.
However, the validity of the arrangement was called into question by Austrian Max Schrems, who argued there were no guarantees Safe Harbour would protect the data of European users from the surveillance activities of the US government.
The European Court of Justice (ECJ) backed this assertion in October 2015, prompting European and US lawmakers to scramble for an alternative arrangement for transferring data from Europe across the pond.
Meanwhile, as the uncertainty over the future of Safe Harbour continued, US technology firms have been rushing to announce plans to open datacentres in Europe to side-step the need to send data back to America for processing.
Read more on Infrastructure-as-a-Service (IaaS)
EU and US start discussions on ‘enhanced’ Privacy Shield data-sharing agreement
US and UK days away from European Parliament ultimatum to suspend data transfers to the US
European Parliament heads for showdown with US over Privacy Shield
EU-US Privacy Shield data pact is working but needs improvement, says EC