BRUSSELS (Reuters) - European Union privacy regulators aim to agree next month on whether and how data transfers to the United States should continue as the European Commission weighs Washington’s latest proposals on a new EU-U.S. data-transfer pact.
European data protection authorities will gather in Brussels on Feb. 2 to find a common position on which legal channels companies can use to shuffle personal data across the Atlantic after the simplest system, known as Safe Harbour, was quashed by the top EU court due to concerns about U.S. snooping.
The 15-year-old Safe Harbour framework used by over 4,000 firms to transfer Europeans’ data to the United States was declared invalid by the European Court of Justice (ECJ) on Oct. 6 because the court found U.S. national security requirements trumped privacy safeguards. This meant that the data were not adequately protected.
Under EU data protection law, companies cannot transfer EU citizens’ personal data to countries outside the EU deemed to have insufficient privacy safeguards, of which the United States is one.
Revelations of mass U.S. surveillance programs where American authorities collected private information directly from big tech firms like Apple, Facebook and Google riled Europe two years ago, and set the stage for the ECJ ruling.
As Washington and Brussels stepped up discussions on a new pact, EU data protection authorities gave businesses a three-month grace period in which they could set up alternative legal systems to transfer data across the Atlantic.
These would cover binding corporate rules within multinationals, model clauses between companies or requests to people for their consent.
EU data protection authorities also urged the United States and EU to agree a new data transfer framework in the same period, failing which they could start taking enforcement action against companies if they decided that alternatives such as model clauses offered no greater protection against U.S. snooping than the old Safe Harbour did.
The United States submitted a package of proposals on a new Safe Harbour deal this week. These included a letter from U.S. Secretary of Commerce Penny Pritzker explaining U.S. commitments on the oversight of a possible new framework by both the Department of Commerce and the U.S. Federal Trade Commission, according to a person familiar with the discussions.
If acceptable to the EU, a new framework could be submitted for approval by all 28 EU commissioners on Feb. 2 to coincide with the regulators’ meeting, the person said. However, further details may need to be ironed out after that.
EU regulators have been analyzing the legality of transfer mechanisms such as binding corporate rules and should reach a common position on Feb. 2, said a spokeswoman for the French data protection authority, which will chair the meeting.
“It is evident that we will sanction any transfers of personal data which are solely based on the old Safe Harbour decision,” said Johannes Caspar, head of the Hamburg data protection authority in Germany which polices Google and Facebook.
He said a new Safe Harbour framework would have to include a number of legal safeguards such as an effective judicial review and independent oversight.
Reporting by Julia Fioretti; Editing by Mark Heinrich