EU throws US data transfers into doubt – again

Several EU flags hoisted outside a building

Companies that transfer European data to the US may be open to legal challenges after the EU refused to extend a grace period in the absence of any agreement guaranteeing that data's safety.

EU and US officials this week touted Privacy Shield as a successor to the now-defunct Safe Harbour deal, which had guaranteed adequate protection for European data transferred abroad.

But with months to go until Privacy Shield is officially approved, EU data regulators yesterday declined to extend a policy of no active enforcement against companies continuing to transfer data to the US without the protection of any valid deal.

Around 4,000 companies relied on the Safe Harbour agreement, and those who have not moved to an alternative data transfer mechanism are now at risk of enforcement actions.

Vinod Bange, head of UK data protection and privacy practice at law firm Taylor Wessing, told IT Pro: "UK PLC deserves better than this, Europe deserves better than this."

Safe Harbour was ruled invalid last October, when the European Court of Justice decided that America valued anti-terrorist measures such as data surveillance above people's privacy.

While Europe and the US renegotiated the agreement, the EU announced a three-month grace period in which companies could carry on moving data to the US.

Some opted to use methods like model contract clauses and binding corporate rules, but others still worked under the umbrella of the invalid Safe Harbour agreement.

The Article 29 Working Party, a group of EU data protection regulators, said those companies yet to adopt an alternative transfer mechanism could now be punished for transferring data to the US.

Head of the group, Isabelle Falque-Pierrotin, said in a press conference, quoted by Out-Law.com: "If companies are using the former Safe Harbour framework, it is illegal because this has clearly been invalidated by the judges."

Member states' own data watchdogs could now decide whether or not to take action against companies if they receive complaints.

But Bange said: "What happens to all those companies that were covered by Safe Harbour and have been left stranded in this abyss, and those who haven't found the right mechanism yet?

"There won't be an extended grace period. She said it would be up to individual states' regulators on how to respond to complaints."

While the Working Party claims many companies have shifted to using alternative data transfer methods, Bange said many have yet to migrate to a different mechanism, calling some of them unsuitable.

"Many are still grappling with this fundamental issue - how do they resolve their situation without using model clauses that were drafted a long time ago without considering the cloud scenario we are in now?" the lawyer said.

Whether they are suitable or not, the Working Party said these transfer mechanisms will remain valid until it has completed its assessment of Privacy Shield - likely by the middle of April.

It has asked the European Commission to provide all relevant Privacy Shield documents by the end of February.

Privacy Shield aims to offer stronger data protection to EU citizens, with the US providing written assurances it will not undertake mass surveillance of European data.

It also plans to set up an Ombudsperson to investigate accusations of spying, and force companies to respond to data complaints by certain deadlines.

The agreement drew a mixed reaction from businesses and privacy campaigners, with the latter group saying the agreement is not backed up by US law, which does allow mass surveillance.

Jim Killock, executive director of Open Rights Group said: "The rights we have under data protection, such as the right to obtain and correct our personal data, need to be legally enforceable in the USA, for every EU citizen. There seems to be great reluctance to introduce these rights in full in the USA for Europeans.

"The EU Commission is making matters worse by failing to communicate how serious the EU Court of Justice's demands are. Unless both the EU and USA face up to the need to protect our individual data protection rights, it will end up back in court.

"That will be no good for citizens or industry."

UK cloud firm Skyhigh Networks welcomed the agreement, however.

Kamal Shah, senior VP of products, said: "We are thrilled with the news from Brussels. The data flows between the USA and EU are so important to global business that it could have been a disaster if the previous confused situation was extended. Here's hoping that the full text is acceptable to all sides and businesses can transfer data across the Atlantic without fear of legal challenge."

The EU is now drafting an "adequacy decision" for the coming weeks, which the European Commission could adopt after receiving the Working Party's advice, and after consulting all member states.