EU and US officials fail to meet deadline on 'safe harbour 2.0'

Out-Law News | 01 Feb 2016 | 5:20 pm | 2 min. read

EU and US officials have failed to meet a deadline for agreeing a new framework to facilitate the transfer of personal data across the Atlantic, according to media reports.

The officials have been in negotiations over the establishment of a new 'safe harbour' framework, dubbed by some as 'safe harbour 2.0', to facilitate transfers of personal data to the US from the EU in a way that complies with EU law since an EU court invalidated the previous safe harbour regime in October last year.

After the Court of Justice of the EU (CJEU) ruling a committee representing national data protection authorities (DPAs) across the EU called on EU and US officials to "find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights" by the end of January 2016.

However, the New York Times has reported that that deadline has passed without agreement on safe harbour 2.0. It said EU and US officials will attempt to "agree a broad deal" on EU-US data transfers before a meeting of the EU data protection authorities later this week.

The Article 29 Working Party is scheduled to meet on 2 and 3 February to discuss, among other things, what approach to adopt on the issue of EU-US data transfers in light of the CJEU's judgment. It has been reviewing existing tools beyond the safe harbour framework that are used to underpin data transfers outside of the EU, such as binding corporate rules and model contract clauses, to check they provide for adequate data protection, as is required by EU law when personal data is being transferred outside of the European Economic Area.

The Working Party has previously hinted that individual DPAs might take enforcement action against companies if the January 2016 deadline passed without its initial concerns being addressed and if they subsequently found companies were relying on data transfer mechanisms that fail to provide for adequate data protection.

A recent Reuters report suggested the Working Party is considering placing new restrictions on EU-US data transfers at its meeting this week. Reuters reported that the Working Party could step back from setting out further restrictions on data transfers after its meeting if proposals for safe harbour 2.0 were tabled in time for consideration by the DPAs at the meeting. understands that the Working Party is likely to hold a press conference on Wednesday afternoon to outline what the DPAs have agreed at their meeting.

In light of the Reuters report, Paris-based information law expert Annabelle Richard of Pinsent Masons, the law firm behind, said that businesses need data protection authorities to adopt a pragmatic approach on the issue of data transfers to the US. 

Data protection expert Marc Dautlich of Pinsent Masons said that the legal position regarding safe harbour has been clear since the CJEU judgment in October 2015. He said the subsequent "grace period" the DPAs offered businesses to adopt an alternative mechanism for data transfers or face enforcement action has now come to an end, subject to any last minute extension to be notified on Wednesday.

Dautlich said businesses have faced challenges when carrying out due diligence on their data transfer arrangements in the past few months since the CJEU ruling, including establishing which of their contracts concern the transfer of personal data and understanding complex sub-contracting arrangements.

Dautlich said it is likely that the US data transfer arrangements of "high profile companies" will be subject to particularly close scrutiny.  

The UK's Information Commissioner's Office's (ICO) public guidance and comments to-date on its enforcement stance have been low-key compared to some EU data protection authorities. Announcements by the Article 29 Working Party and individual DPAs over the coming days will be a test of the level of co-operation in practice between the DPAs, and provide an insight into future consistency issues under the General Data Protection Regulation, Dautlich said.