EU throws US data transfers into doubt – again

Europe’s data watchdog refuses to extend Safe Harbour grace period

Companies that transfer European data to the US may be open to legal challenges after the EU refused to extend a grace period in the absence of any agreement guaranteeing that data's safety.

EU and US officials this week touted Privacy Shield as a successor to the now-defunct Safe Harbour deal, which had guaranteed adequate protection for European data transferred abroad.

Advertisement - Article continues below

But with months to go until Privacy Shield is officially approved, EU data regulators yesterday declined to extend a policy of no active enforcement against companies continuing to transfer data to the US without the protection of any valid deal.

Around 4,000 companies relied on the Safe Harbour agreement, and those who have not moved to an alternative data transfer mechanism are now at risk of enforcement actions.

Vinod Bange, head of UK data protection and privacy practice at law firm Taylor Wessing, told IT Pro: "UK PLC deserves better than this, Europe deserves better than this."

Safe Harbour was ruled invalid last October, when the European Court of Justice decided that America valued anti-terrorist measures such as data surveillance above people's privacy.

While Europe and the US renegotiated the agreement, the EU announced a three-month grace period in which companies could carry on moving data to the US.

Advertisement - Article continues below
Advertisement - Article continues below

Some opted to use methods like model contract clauses and binding corporate rules, but others still worked under the umbrella of the invalid Safe Harbour agreement.

The Article 29 Working Party, a group of EU data protection regulators, said those companies yet to adopt an alternative transfer mechanism could now be punished for transferring data to the US.

Head of the group, Isabelle Falque-Pierrotin, said in a press conference, quoted by "If companies are using the former Safe Harbour framework, it is illegal because this has clearly been invalidated by the judges."

Member states' own data watchdogs could now decide whether or not to take action against companies if they receive complaints.

But Bange said: "What happens to all those companies that were covered by Safe Harbour and have been left stranded in this abyss, and those who haven't found the right mechanism yet?

"There won't be an extended grace period. She said it would be up to individual states' regulators on how to respond to complaints."

Advertisement - Article continues below

While the Working Party claims many companies have shifted to using alternative data transfer methods, Bange said many have yet to migrate to a different mechanism, calling some of them unsuitable.

"Many are still grappling with this fundamental issue - how do they resolve their situation without using model clauses that were drafted a long time ago without considering the cloud scenario we are in now?" the lawyer said.

Whether they are suitable or not, the Working Party said these transfer mechanisms will remain valid until it has completed its assessment of Privacy Shield - likely by the middle of April.

It has asked the European Commission to provide all relevant Privacy Shield documents by the end of February.

Privacy Shield aims to offer stronger data protection to EU citizens, with the US providing written assurances it will not undertake mass surveillance of European data.

It also plans to set up an Ombudsperson to investigate accusations of spying, and force companies to respond to data complaints by certain deadlines.

Advertisement - Article continues below

The agreement drew a mixed reaction from businesses and privacy campaigners, with the latter group saying the agreement is not backed up by US law, which does allow mass surveillance.

Jim Killock, executive director of Open Rights Group said: "The rights we have under data protection, such as the right to obtain and correct our personal data, need to be legally enforceable in the USA, for every EU citizen. There seems to be great reluctance to introduce these rights in full in the USA for Europeans.

"The EU Commission is making matters worse by failing to communicate how serious the EU Court of Justice's demands are. Unless both the EU and USA face up to the need to protect our individual data protection rights, it will end up back in court.

"That will be no good for citizens or industry."

UK cloud firm Skyhigh Networks welcomed the agreement, however.

Kamal Shah, senior VP of products, said: "We are thrilled with the news from Brussels. The data flows between the USA and EU are so important to global business that it could have been a disaster if the previous confused situation was extended. Here's hoping that the full text is acceptable to all sides and businesses can transfer data across the Atlantic without fear of legal challenge."

The EU is now drafting an "adequacy decision" for the coming weeks, which the European Commission could adopt after receiving the Working Party's advice, and after consulting all member states.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular


Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
high-performance computing (HPC)

IBM dedicates supercomputing power to coronavirus research

24 Mar 2020