The European Commission has said it hopes to reach a deal with the U.S. on a so-called ‘Safe Harbor 2.0′ agreement on data transfers by January 2016 — laying out a three month timetable to hammer out a new deal on transatlantic data flows.
The fifteen year old Safe Harbor agreement, which had allowed some 4,700 companies to self-certify that they would provide adequate protection of European citizens’ data once it was in the U.S. for processing — was ruled invalid by Europe’s top court early last month, leaving businesses scrambling to figure out how to operate legal data transfers in the meanwhile.
The trigger for the ECJ decision? U.S. intelligence agency mass surveillance programs undermining Europeans’ fundamental data protection rights. Intelligence agency access to data remains the sticking point for agreeing any new Safe Harbor 2.0 deal.
Today the EC reiterated the alternative methods available for businesses to enable data flows to continue in the interregnum between data transfer agreements — issuing a Communication which details the various options. These include contractual clauses, intra-group transfers and individual user consent.
However the latter consent option was dubbed an alternative of “last resort” by Commissioner Věra Jourová, speaking during a press conference. She noted that while it is up to companies to choose the “effective rules”, she stressed they “must be able to prove that the protection is in place — that they guarantee high protection of the data transferred to the U.S.”.
So businesses seeking to sidestep data protection requirements via a blanket consent check-box pushed out at their users is not going to cut it.
Today’s EC Communication makes plain Safe Harbor is no longer a viable option — noting that “data transfers can no longer be based on the Commission’s invalidated Safe Harbour Decision”. But, also speaking during the press conference, Commissioner Andrus Ansip sought to strike a reassuring tone for both citizens and businesses in the wake of the Safe Harbor strike down.
“The Communication adopted today gives reassurances to citizens and consumers that their data is protected. Without trust from our citizens a functioning digital single market based on data will not work,” he said. “This Communication also provides clarity to our companies on alternatives. Free flow of data will not be unduly disrupted.”
He also noted that while many businesses have relied on Safe Harbor to govern data flows, others had been using alternative methods detailed in the Communication.
“The first [European] Data Protection Directive was adopted in the year 1995 already so many of those data flows between Europe and the United States — they are based on contract clause, which is allowed according to this data protection directive. There are data flows which are based inside of corporations and consent is the last resort,” he added. “Safe Harbor is not the only basis which allows those data flows between the EU and the U.S.”
Jourová said it’s her view that the best way to manage and safeguard transatlantic data flows is via a new top level agreement — aka a Safe Harbor 2.0. She is due to travel to Washington DC shortly to meet her U.S. counterparts for continued discussions.
Talks with the U.S. on a new Safe Harbor regime have already been ongoing since 2013 — albeit the Commission is attempting to set out a deadline for completing the negotiations now. “Today we provide clear guidelines and we commit to a clear timeframe to conclude current negotiations,” noted Ansip in a statement.
Responding to a question from a journalist about whether additional changes to U.S. law would be needed to ensure any new Safe Harbor agreement is able to stand up in court, Ansip suggested the U.S. will indeed need to legislate for enhanced data protection if it wants to secure a new agreement on European data transfers.
“It is up to lawyers to say what exactly will be needed but I think that a legally binding administrative decision will be needed to make this Safe Harbor 2.0 Safe Harbor bulletproof according to my understanding,” he said.
“There is a sense of urgency on both sides,” he added, noting that the earlier talks to agree a new Safe Harbor deal had been “pretty close to close” before the ECJ ruling landed.
“According to our understanding we had to do more, but we don’t have to start from zero,” he added.
Jourová said the EC is “strongly following” developments in the U.S. regarding surveillance and national intelligence reform — and described the USA Freedom Act, which has sought to place limits on government mass surveillance programs, as “good progress”.
In addition, she said the EC is “very satisfied” that the Judicial Redress Bill — which would allow European citizens to go to American courts in the event of national authorities breaching their data protection rights — was adopted by the House of Representatives last month.
“Now we are waiting for adoption in the Senate,” she added. “Also we consider a very positive step forward all the President’s instructions to the whole intelligence community — the Presidential Policy Directive 28. We are waiting for the report of President Obama which should come out in January 2016. So we are following all these changes.”
Summing up, she described measures currently undertaken by the U.S. as not “sufficient” at this stage, in terms of securing a new Safe Harbor agreement, but rather said they are moving “in the right direction”.
“There should be a stronger concentrated effort to achieve more changes and more reforms in this field in the United States,” she added.
Jourová noted that the ECJ ruling on Safe Harbor “clearly strengthened” the role of national data protection authorities by declaring they have the right to stop transfers if they are satisfied there is no adequate protection for Europeans’ data once it goes to the U.S.
She said the publication of today’s Communication is aimed at making prior data protection guidance published by DPAs more easily available, as well as putting it in the context of the ECJ’s ruling.
“We will continue to work in close cooperation with the national data protection authorities. It is the task of the national data protection authorities to supervise that data exporters live up to their responsibility. They will work together in this to avoid a fragmentation of the European digital single market,” she added.