Legal limbo as EU-US data talks drag out

The two sides are trying to reach a new Safe Harbour agreement, which governs how US firms respect privacy rights of EU citizens whenever they transfer and use their data.

Data protection authorities had imposed a three-month deadline in November after the European Court of Justice (ECJ) scrapped the original 15-year old scheme on grounds it exposed Europeans to US privacy abuse.

That deadline officially ended on Sunday (31 January) with the Article 29 Working Party, a committee of all EU data protection authorities, having threatened “coordinated enforcement actions” against US firms.

Firms are now relying on internal rules and contractual clauses binding them to data protection laws to govern transfers, but EU regulators are due to decide on Wednesday whether this kind of practice should be restricted.

At stake is trust, with the EU side unconvinced US authorities will fully respect any new agreement, given past revelations of US-led mass surveillance by former National Security Agency contractor Edward Snowden.

"What we need now is trust but we also have the duty to check, for this purpose, we will put in place annual joint-review," said Jourova.

Signatures is all you need

Any new pact will be based on "an exchange of letters" signed by top authorities in the US and EU.

The two sides have been at loggerheads over national security access to data for the past two years, with the EU court ruling in October giving the EU a boost in calling for more guarantees.

EU negotiators want to make sure the new pact is both binding and enforceable, so that it stands up to any fresh legal challenge.

A US judicial redress act, designed to allow non-US citizens to sue in US courts over privacy violations, was meant to ease concerns. But last-minute amendments appear to have undermined the redress act.

Jourova did not go into details of the dispute, noting that she first needed to provide a report to all EU commissioners at their weekly meeting on Tuesday.

The lack of accord is a blow to the some 4,000 firms that had relied on Safe Harbour to transfer data.

It points to lack of assurances by the US to respect the EU demands.

It also remains unclear how the privacy protection rights of EU citizens can be guaranteed when US national security and intelligence gathering is covert by nature.

Written assurances

Another idea, still under discussion, is to set up an ombudsperson in the US who could respond to complaints of alleged privacy violations by EU citizens.

Jourova added that she wanted written assurances from the US that access by public authorities to personal data transferred from Europe will be limited to what is "necessary and proportionate".

But not everyone was convinced by her argument.

Dutch liberal MEP Sophie In't Veld pointed out that a signed letter by the current US administration might no longer be valid after the forthcoming presidential election.

"The legal status of 'written assurances' or 'signatures at the highest level' is very unclear. And can we really expect an ombudsman to oversee US secret services?" she said.

Should the next administration not respect the pact, then it would be suspended, responded Jourova.