The European Union put the onus firmly on the U.S. to make the next move in negotiating a replacement for the now-defunct Safe Harbor Agreement on privacy protection for transatlantic personal data transfers.
“We need a new transatlantic framework for data transfers,” said Vĕra Jourová, the European Commissioner for Justice and Consumers, emphasizing the urgency of the situation. However, she said at a news conference in Brussels on Friday, “It is now for the U.S. to come back with their answers.”
EU law requires that companies guarantee the same privacy protection for the personal information of EU citizens that they hold, wherever in the world they process it.
The Safe Harbor Agreement was a simple mechanism by which companies could offer that guarantee. Reached between the European Commission and the U.S. in 2000, it allowed U.S. companies to certify that they followed EU privacy rules — but it was struck down by the Court of Justice of the EU on Oct. 6 for not providing sufficient legal safeguards.
On Friday, the Commission published a new guide for businesses looking for ways to legally export personal information to the U.S., post Safe Harbor. However, it does little more than repeat the advice the Commission gave on the day of the court’s ruling.
“Until such time as the renewed transatlantic framework is in place, companies need to rely on the alternative transfer tools available,” the guide says.
Jourová recognized that won’t always be easy: “Companies face some limitations when relying on alternative tools.”
Safe Harbor was simple for European companies to implement, as all they had to do was contract with a U.S. data processor registered under the agreement. It was the responsibility of the U.S. company to ensure compliance.
The alternative mechanisms provided for in the EU’s 1995 Data Protection Directive — standard contract clauses, binding corporate rules, or obtaining the informed consent of the person whose data is transferred — put the responsibility squarely on the company at the origin of the transfer.
“Whatever they choose, they must be able to prove that the protection is in place, that they guarantee the protection of data transferred to the U.S. This is especially a challenge for SMEs,” Jourová said.
Her colleague Andrus Ansip, European Commissioner for the Digital Single Market, pointed out that the use of these tools is nothing new: Many companies began complying with the directive’s requirements in the five years before Safe Harbor was introduced.
“Many of those data flows are based on contract clauses,” he said.
Whether a new Safe Harbor agreement will resolve the questions raised by the court is open to doubt. Some critics have said that, without wholesale reform of U.S. law, it just isn’t possible to provide the guarantees EU law requires. And while the majority of the EU’s data protection authorities are still studying whether the alternative tools are sufficient, German authorities are so concerned about them that have suspended all new registrations for data exports
Ansip gave a nod to some of those concerns: “It’s up to lawyers to say exactly what will be needed. A legally binding administrative decision will be needed to make this Safe Harbor 2.0 bulletproof,” he said.
In other words, Safe Harbor’s successor isn’t safe until it too has been tested by the EU’s highest court.
That’s the challenge, then, for the U.S. officials that Jourová is waiting to hear from. Next week, she said, she will travel to Washington, “to discuss the issue at the highest political level.”