EU throws US data transfers into doubt – again

Europe’s data watchdog refuses to extend Safe Harbour grace period

Companies that transfer European data to the US may be open to legal challenges after the EU refused to extend a grace period in the absence of any agreement guaranteeing that data's safety.

EU and US officials this week touted Privacy Shield as a successor to the now-defunct Safe Harbour deal, which had guaranteed adequate protection for European data transferred abroad.

But with months to go until Privacy Shield is officially approved, EU data regulators yesterday declined to extend a policy of no active enforcement against companies continuing to transfer data to the US without the protection of any valid deal.

Around 4,000 companies relied on the Safe Harbour agreement, and those who have not moved to an alternative data transfer mechanism are now at risk of enforcement actions.

Advertisement
Advertisement - Article continues below

Vinod Bange, head of UK data protection and privacy practice at law firm Taylor Wessing, told IT Pro: "UK PLC deserves better than this, Europe deserves better than this."

Safe Harbour was ruled invalid last October, when the European Court of Justice decided that America valued anti-terrorist measures such as data surveillance above people's privacy.

While Europe and the US renegotiated the agreement, the EU announced a three-month grace period in which companies could carry on moving data to the US.

Some opted to use methods like model contract clauses and binding corporate rules, but others still worked under the umbrella of the invalid Safe Harbour agreement.

The Article 29 Working Party, a group of EU data protection regulators, said those companies yet to adopt an alternative transfer mechanism could now be punished for transferring data to the US.

Head of the group, Isabelle Falque-Pierrotin, said in a press conference, quoted by Out-Law.com: "If companies are using the former Safe Harbour framework, it is illegal because this has clearly been invalidated by the judges."

Member states' own data watchdogs could now decide whether or not to take action against companies if they receive complaints.

But Bange said: "What happens to all those companies that were covered by Safe Harbour and have been left stranded in this abyss, and those who haven't found the right mechanism yet?

"There won't be an extended grace period. She said it would be up to individual states' regulators on how to respond to complaints."

While the Working Party claims many companies have shifted to using alternative data transfer methods, Bange said many have yet to migrate to a different mechanism, calling some of them unsuitable.

Advertisement
Advertisement - Article continues below

"Many are still grappling with this fundamental issue - how do they resolve their situation without using model clauses that were drafted a long time ago without considering the cloud scenario we are in now?" the lawyer said.

Whether they are suitable or not, the Working Party said these transfer mechanisms will remain valid until it has completed its assessment of Privacy Shield - likely by the middle of April.

It has asked the European Commission to provide all relevant Privacy Shield documents by the end of February.

Privacy Shield aims to offer stronger data protection to EU citizens, with the US providing written assurances it will not undertake mass surveillance of European data.

It also plans to set up an Ombudsperson to investigate accusations of spying, and force companies to respond to data complaints by certain deadlines.

The agreement drew a mixed reaction from businesses and privacy campaigners, with the latter group saying the agreement is not backed up by US law, which does allow mass surveillance.

Jim Killock, executive director of Open Rights Group said: "The rights we have under data protection, such as the right to obtain and correct our personal data, need to be legally enforceable in the USA, for every EU citizen. There seems to be great reluctance to introduce these rights in full in the USA for Europeans.

"The EU Commission is making matters worse by failing to communicate how serious the EU Court of Justice's demands are. Unless both the EU and USA face up to the need to protect our individual data protection rights, it will end up back in court.

"That will be no good for citizens or industry."

UK cloud firm Skyhigh Networks welcomed the agreement, however.

Advertisement
Advertisement - Article continues below

Kamal Shah, senior VP of products, said: "We are thrilled with the news from Brussels. The data flows between the USA and EU are so important to global business that it could have been a disaster if the previous confused situation was extended. Here's hoping that the full text is acceptable to all sides and businesses can transfer data across the Atlantic without fear of legal challenge."

The EU is now drafting an "adequacy decision" for the coming weeks, which the European Commission could adopt after receiving the Working Party's advice, and after consulting all member states.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/business/business-strategy/354252/huawei-takes-the-us-trade-sanctions-into-its-own-hands
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019