Out-Law News 2 min. read

Call for 'moratorium' on enforcement of rules governing EU-US data transfers


There should be a "moratorium" on enforcement action against organisations that transfer personal data from the EU to the US whilst negotiations continue on a new framework for facilitating EU-US data transfers, a business group has said.

A deadline for EU and US officials to reach agreement on a new safe harbour framework for EU-US data transfers, dubbed safe harbour 2.0, has expired, raising the prospect that EU data protection authorities (DPAs) will start to scrutinise organisations' EU-US data transfers more closely and potentially take enforcement action where they find that EU data protection laws have been broken.

The DPAs are reportedly considering placing tighter restrictions on EU-US data transfers and are expected to set out a common approach to enforcement of the rules on EU-US data transfers later this week.

The DPAs, under the umbrella of the Article 29 Working Party, have been reviewing legal and contractual mechanisms that businesses use to underpin their transfers of personal data from the EU to the US in light of a ruling last October by the EU's highest court that the original safe harbour regime was invalid. Some DPAs have said they believe the same privacy failings identified in the ruling in relation to the safe harbour framework are inherent in the alternative legal and contractual mechanisms organisations rely on.

Data privacy expert Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com, said: "When you look at the grounds the court used to invalidate safe harbour, you could apply more or less verbatim the same reasons to invalidate the alternative methods. That would make it extremely difficult to export date from the EU to the US. It would become almost an exception to have permission, and I don't see how in reality that could work out because many companies depend on the transfers from an economic perspective."

On Monday, EU justice commissioner Vera Jourová confirmed that the Commission is "close" to an agreement with US officials over safe harbour 2.0 but that talks are continuing. The Commission missed the 31 January deadline set by Article 29 Working Party for finalising the new framework.

Jourová said the Commission is seeking "formal and binding" commitments from the US that provide for sufficient "limitations and safeguards" over US authorities' access to data transferred from the EU, deliver "independent oversight and individual redress in the area of national security", and allow EU citizens to raise complaints before the US courts over how their personal data has been processed in the US.

"We are aiming for a robust new system that, unlike [the original] safe harbour: ensures that any individual complaint is resolved; includes guarantees that access by public authorities is limited to what is proportionate or necessary; will be closely monitored and reviewed on a regular basis with the involvement of national security bodies and DPAs," Jourová said.

Further talks internally at the European Commission and with US officials are expected to take place on Tuesday. The Article 29 Working Party's meeting to finalise a collective approach on the subject of EU-US data transfers also takes place on Tuesday and Wednesday, with an announcement on the outcome of that meeting expected to be made on Wednesday afternoon.

The Information Technology and Innovation Foundation (ITIF) urged the DPAs not to move forward with enforcement action against companies over data transfers whilst talks continue on safe harbour 2.0.

"Every day that goes by without a comprehensive agreement creates additional risk for businesses, which will translate into higher prices and lower quality services for consumers," ITIF vice president Daniel Castro said. "Given the critical importance of the data economy in both Europe and the United States, both sides need to act swiftly to reach a final agreement."

"In the spirit of working towards an agreement that restores cross-border data flows, the European data regulators … should establish a moratorium on new enforcement actions to give negotiators additional time to find a compromise. Enacting temporary enforcement measures at this point would be premature and impose unnecessary costs on businesses and consumers without addressing the long-term goals of either European or US interests," Castro said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.