EU imposes deadline for new US data pact

The Commission imposed the deadline following two years of talks to get the US to beef up protection standards on data transfers under the so-called Safe Harbour agreement.

It had issued 13 recommendations in the aftermath of media revelations that the US National Security Agency had been bulk collecting the data of EU citizens.

But negotiations stalled after the US refused to budge on the national security exemption ideas demanded by the Commission.

The Commission asked to ensure that those exemptions are “used only to an extent that is strictly necessary or proportionate."

The European Court of Justice (ECJ) in Luxembourg last month ruled invalid the Safe Harbour agreement because it failed to provide the “adequate” data protection standards demanded by EU law and fundamental rights.

All data transfers under the agreement are now banned.

The Irish High Court brought the case to Luxembourg following a complaint against Ireland’s data protection authority on Facebook by Austrian student Max Schrems.

The ECJ ruling was hailed as a major victory for civil rights in Europe.

But US firms and authorities balked at it, given the possible financial implications and business uncertainty it generated.

The around 4,400 US firms that signed up to the self-certification agreement are now required to use alternative data transfer methods.

Tactical advantage

The Commission is using the court ruling and the threat from national data protection authorities as leverage against the Americans.

EU justice Commissioner Vera Jourova told reporters in Brussels that the US must now “take the necessary steps to establish this new framework, one that contains limitations to government access to data and the necessary safeguards, including judicial control."

The Czech commissioner said any new data pact with the US would also have to conform to the Luxembourg judgment.

The judgment pointed out, among other things, that US national security requirements ignored Safe Harbour.

With Safe Harbour scrapped, companies now have to use other legal transfer schemes.

The two biggest are standard contractual clauses and binding corporate rules.

Contractual clauses specify data protection obligations that have to be met by both parties to the contract and apply to companies exchanging personal data.

Binding corporate rules are used for intra-group data transfers within a group of companies, some of which are in Europe and the United States.

Jourova, citing the EU's main privacy regulatory body, the "article 29 working party," said such transfers can be used until the end of January 2016.

“As you can see, companies thus face some limitations when relying on alternative transfer tools. This is why the commission strongly believes that we need a new stronger framework for trans-Atlantic data transfers that will replace the old Safe Harbour," she said.

But not everyone is convinced a new Safe Harbour will ease business uncertainty.

Last month Max Schrems said a new Safe Harbour scheme would likely be challenged in the courts again. He said companies would probably avoid the beefed up scheme.

“If we find an agreement, it is very likely that the Safe Harbour will be challenged in the court again," he warned.