Out-Law News 2 min. read

New EU-US personal data transfer agreement months away, according to report


The European Commission has given itself three months to reach a new agreement with US officials over the transfer of personal data to the US, according to a report by the Financial Times .

EU and US officials have been in negotiations over a new 'safe harbour' framework for months in a process first prompted by privacy concerns raised after revelations about US surveillance practices were leaked by the whistleblower Edward Snowden in 2013.

However, an EU court ruling last month, and comments made by data protection watchdogs in its aftermath, has put increased time pressure on the officials to finalise the agreement.

The Court of Justice of the EU ruled that a Commission decision that personal data transferred from the EU to the US in accordance with a previous agreement provided for adequate data protection was "invalid". In its ruling the CJEU raised concerns about the access US authorities have to the transferred data and the lack of rights to judicial redress EU citizens have in the US when their data is mishandled.

The underlying safe harbour framework that the Commission endorsed had allowed US companies that committed to a series of privacy principles to transfer personal data from the EU to the US in a way that was recognised as compliant with EU data protection laws. However, since the CJEU's judgment, data protection authorities have warned companies they cannot rely solely on their compliance with the safe harbour regime as demonstrating their compliance with EU law.

Alternative legal mechanisms are available to businesses to complete transfers of personal data outside of the EU. Data protection authorities have told companies that they can rely on tools such as EU model clauses and binding corporate rules (BCRs) to transfer personal data to the US for the time being. However, they are currently reviewing whether those mechanisms do provide for adequate data protection when data is transferred from the EU to the US in light of the concerns referenced by the CJEU.

The Article 29 Working Party has warned that national data protection authorities are "committed to take all necessary and appropriate actions, which may include coordinated enforcement actions" if solutions are not found by the end of January 2016 to address the identified privacy concerns relating to data transfers to the US. The Working Party said that a new safe harbour agreement "could be a part of the solution".

Despite calls for there to be a unified approach from the EU's data protection authorities to the issue of EU-US data transfers in light of the CJEU's ruling, there is evidence of different approaches being taken.

In the UK, the Information Commissioner's Office (ICO) has said that it is not in a rush to use its enforcement powers in respect of businesses' data transfer arrangements. The watchdog has said it recognises that the CJEU's ruling has created uncertainty for businesses and it has identified the alternative mechanisms companies can use to continue transferring personal data to the US in the absence of being able to rely on the safe harbour regime.

However, Hamburg's data protection authority has said it will "check to see" if companies are continuing to "transmit data solely on the basis" of the safe harbour regime. It warned that it could issue "prohibition orders" to stop data transfers if it finds companies are relying on meeting the safe harbour requirements as demonstrating compliance with EU law.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.