European Union privacy regulators aim to agree next month on whether and how data transfers to the United States should continue in the absence of an EU-US data-transfer pact that was struck down last year on privacy concerns.
European data protection authorities will gather in Brussels on Feb. 2 to find a common position on which legal channels companies can use to shuffle data across the Atlantic after the simplest system was quashed by the top EU court.
The 15-year-old Safe Harbour framework used by over 4,000 firms to transfer Europeans’ data to the United States was declared invalid by the European Court of Justice (ECJ) on Oct. 6 because the court found US national security requirements trumped privacy safeguards, meaning the data were not adequately protected.
Under EU data protection law, companies cannot transfer EU citizens’ personal data to countries outside the EU deemed to have insufficient privacy safeguards, of which the United States is one.
Revelations of mass US surveillance programmes where American authorities hoovered up private information directly from big tech companies such as Apple, Facebook and Google riled Europe two years ago, and set the stage for the ECJ ruling.
EU data protection authorities gave businesses a three-month grace period in which they could set up alternative legal systems to shuffle data across the Atlantic, such as binding corporate rules within multinationals, model clauses between companies or asking people for their consent.
They also urged Brussels and Washington to agree on a new data transfer framework in the same period, failing which they could start taking enforcement action against companies if they decide that alternatives such as model clauses offer no greater protection against US snooping than the old Safe Harbour did.
The regulators have been analysing the legality of the other transfer mechanisms and should reach a common position on Feb. 2, a spokeswoman for the French data protection authority, which will chair the meeting, said.
“It is evident that we will sanction any transfers of personal data which are solely based on the old safe harbour decision,” said Johannes Caspar, head of the Hamburg data protection authority in Germany which polices Google and Facebook.
He said a new Safe Harbour framework would have to include a number of legal safeguards such as an effective judicial review and independent oversight.
The United States submitted a package of proposals on a new Safe Harbour deal this week including a letter from US Secretary of Commerce Penny Pritzker explaining US commitments on the oversight of a possible new framework, according to a person familiar with the discussions.