EU throws US data transfers into doubt – again

Europe’s data watchdog refuses to extend Safe Harbour grace period

Companies that transfer European data to the US may be open to legal challenges after the EU refused to extend a grace period in the absence of any agreement guaranteeing that data's safety.

EU and US officials this week touted Privacy Shield as a successor to the now-defunct Safe Harbour deal, which had guaranteed adequate protection for European data transferred abroad.

But with months to go until Privacy Shield is officially approved, EU data regulators yesterday declined to extend a policy of no active enforcement against companies continuing to transfer data to the US without the protection of any valid deal.

Around 4,000 companies relied on the Safe Harbour agreement, and those who have not moved to an alternative data transfer mechanism are now at risk of enforcement actions.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Vinod Bange, head of UK data protection and privacy practice at law firm Taylor Wessing, told IT Pro: "UK PLC deserves better than this, Europe deserves better than this."

Safe Harbour was ruled invalid last October, when the European Court of Justice decided that America valued anti-terrorist measures such as data surveillance above people's privacy.

While Europe and the US renegotiated the agreement, the EU announced a three-month grace period in which companies could carry on moving data to the US.

Some opted to use methods like model contract clauses and binding corporate rules, but others still worked under the umbrella of the invalid Safe Harbour agreement.

The Article 29 Working Party, a group of EU data protection regulators, said those companies yet to adopt an alternative transfer mechanism could now be punished for transferring data to the US.

Head of the group, Isabelle Falque-Pierrotin, said in a press conference, quoted by Out-Law.com: "If companies are using the former Safe Harbour framework, it is illegal because this has clearly been invalidated by the judges."

Advertisement - Article continues below

Member states' own data watchdogs could now decide whether or not to take action against companies if they receive complaints.

But Bange said: "What happens to all those companies that were covered by Safe Harbour and have been left stranded in this abyss, and those who haven't found the right mechanism yet?

"There won't be an extended grace period. She said it would be up to individual states' regulators on how to respond to complaints."

While the Working Party claims many companies have shifted to using alternative data transfer methods, Bange said many have yet to migrate to a different mechanism, calling some of them unsuitable.

Advertisement
Advertisement - Article continues below

"Many are still grappling with this fundamental issue - how do they resolve their situation without using model clauses that were drafted a long time ago without considering the cloud scenario we are in now?" the lawyer said.

Whether they are suitable or not, the Working Party said these transfer mechanisms will remain valid until it has completed its assessment of Privacy Shield - likely by the middle of April.

Advertisement - Article continues below

It has asked the European Commission to provide all relevant Privacy Shield documents by the end of February.

Privacy Shield aims to offer stronger data protection to EU citizens, with the US providing written assurances it will not undertake mass surveillance of European data.

It also plans to set up an Ombudsperson to investigate accusations of spying, and force companies to respond to data complaints by certain deadlines.

The agreement drew a mixed reaction from businesses and privacy campaigners, with the latter group saying the agreement is not backed up by US law, which does allow mass surveillance.

Jim Killock, executive director of Open Rights Group said: "The rights we have under data protection, such as the right to obtain and correct our personal data, need to be legally enforceable in the USA, for every EU citizen. There seems to be great reluctance to introduce these rights in full in the USA for Europeans.

"The EU Commission is making matters worse by failing to communicate how serious the EU Court of Justice's demands are. Unless both the EU and USA face up to the need to protect our individual data protection rights, it will end up back in court.

Advertisement - Article continues below

"That will be no good for citizens or industry."

UK cloud firm Skyhigh Networks welcomed the agreement, however.

Advertisement
Advertisement - Article continues below

Kamal Shah, senior VP of products, said: "We are thrilled with the news from Brussels. The data flows between the USA and EU are so important to global business that it could have been a disaster if the previous confused situation was extended. Here's hoping that the full text is acceptable to all sides and businesses can transfer data across the Atlantic without fear of legal challenge."

The EU is now drafting an "adequacy decision" for the coming weeks, which the European Commission could adopt after receiving the Working Party's advice, and after consulting all member states.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now

Recommended

Visit/data-insights/data-management/354423/eu-us-data-transfer-tools-used-by-facebook-ruled-legal
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019
Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020