Updated: Businesses face further uncertainty as EU and U.S. miss Safe Harbour 2 deadline

Update: a decision has now been reached on Safe Harbour 2, full story to follow shortly.

European businesses with operations in the United States face continued uncertainty and increased risk of enforcement after the European Commission and U.S. missed the deadline to agree a new data sharing pact following the demise of Safe Harbour protection last year.

The European Commissioner Vĕra Jourová confirmed last night (1 February) that further concessions are needed from the U.S. before a new agreement on the safe transfer of data between the UK and US can be agreed.

Talks have been underway since 6 October, when the European Court of Justice ruled in the Schrems case that the Safe Harbour arrangement – which allowed the transfer of personal information for commercial purposes from companies in the EU to companies in the U.S. that had signed up to the Safe Harbour principles – did not provide the level of data protection required by EU law.

In a statement yesterday Jourová said: “Over the past months we have intensively worked with the U.S. in order to obtain the needed commitments and clarifications to put in place a new arrangement that meets the legal requirements.”

She added: “We need strong commitments from the U.S to achieve this. We have underlined to our American partners that any new adequacy decision must be able to withstand a new legal challenge. This is important for the standard of fundamental rights protection, but also to ensure legal certainty for business.”

Jourová outlined four key issues in the talks: the need for limitations and safeguards as regards access to data by public authorities; independent oversight and individual redress in the area of national security; resolution of individual complaints about how companies process personal data; and the need for binding commitments from the U.S. side.

“In the context of our negotiations, we are obtaining specific written assurances from the U.S. that access by public authorities to personal data transferred from Europe will be limited to what is necessary and proportionate,” Jourová said.

“These assurances must confirm that there is no indiscriminate mass surveillance and that safeguards for individuals also apply to non-U.S. persons. And let me be very clear, we will need to continue to monitor developments in this area also in the future. We need trust, but we have a duty to check. For this purpose, we will put in place an annual joint review, which will look at all aspects of the arrangement, including access to data by public authorities.”

Jourová concluded: “We are close, but an additional effort is needed.”

Commenting on the failure to reach an agreement, Ashley Winton, partner and UK head of data protection and privacy at global law firm Paul Hastings LLP and chairman of the UK Data Protection Forum said: “The Commissioner has confirmed that no agreement on the safe transfer of data between the UK and US has been agreed within the set deadline. This will cause great uncertainty for European businesses and concern amongst European citizens. Some detail has been revealed about what could be included in Safe Harbour 2.0 including an annual review that the conditions for safe processing remain satisfactory and an ombudsmen for European citizens. However, those businesses who are operating across the EU and US remain in the dark, and at increased risk of enforcement if they continue to transfer data to the US.

“The results of months’ worth of negotiation appears weak and if adopted we are likely to see further legal challenge in the European courts. The European Commission still needs to make the case that the US system of privacy laws are essentially equivalent, that data subjects have real rights against disproportionate processing in the US, and that if there is disproportionate or illegal processing then citizens can have their personal data deleted and ultimately redress in an appropriate court.”