EU data protection watchdogs could tighten restrictions on new EU-US data transfers

Out-Law News | 21 Jan 2016 | 5:29 pm | 3 min. read

Businesses could face new restrictions on the way they transfer personal data from the EU to the US from as earlier as 2 February, according to a Reuters report.

The news agency said that EU data protection authorities (DPAs) are considering implementing a ban on companies agreeing new binding corporate rules (BCRs) or installing model contract clauses into new data transfer agreements. The DPAs are expected to adopt a common approach on issues relating to EU-US data transfers at a meeting on 2 February.

Existing data transfers underpinned by BCRs or model clause arrangements already in place might also be at risk if complaints are raised about whether they provide for adequate data protection, under the plans DPAs are considering, the Reuters report said. However, not all national DPAs support the restrictions that are being debated, according to the report.

The Article 29 Working Party, a committee made up of representatives from DPAs across the EU, is currently reviewing mechanisms enabling data transfers, including model contract clauses and binding corporate rules, in light of a ruling by the Court of Justice of the EU (CJEU) last October. The CJEU ruled that a framework which facilitated transfers of personal data from the EU to the US was invalid.

The judgment prompted the Working Party to look at whether other tools used to underpin data transfers outside of the EU, and particularly to the US, such as BCRs and model clauses, provide for adequate data protection for the transferred data as is required by EU data protection laws.

The Working Party previously called on EU and US officials to "find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights" by the end of January 2016. It has suggested that DPAs might take enforcement action against companies after then if it finds they are relying on data transfer mechanisms that fail to provide for adequate data protection.

Since the CJEU ruling, EU and US officials have been in negotiations over the establishment of a new 'safe harbour' framework, dubbed by some as 'safe harbour 2.0', to facilitate transfers of personal data to the US from the EU in a way that complies with EU law. According to the Reuters report, EU DPAs could refrain from placing new restrictions on EU-US data transfers if proposals for safe harbour 2.0 are tabled in time for consideration at the Working Party's 2 February meeting.

Paris-based information law expert Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com, said: "What businesses need is for data protection authorities to adopt a pragmatic approach on the issue of data transfers to the US. If there is a moratorium placed on new BCRs and model contract arrangements then this would have a serious impact on international trade."

"Reliance on alternative legal tools for facilitating data transfers, such as the consent of data subjects, will not be possible in many cases. For example in France companies seeking to transfer employee data outside of the EEA are prohibited from doing so only based on consent from data subjects in recognition of the imbalance there is in the employer/employee relationship and the lack of a realistic option for employees to say no to those arrangements," Richard said.

"In the absence of any safe harbour regime and if there are restrictions on use of BCRs and model clauses, many companies would be forced to deploy technical and organisation measures on a case-by-case basis to legitimise data transfers and conform to the 'adequacy' requirements of EU data protection law. This is impractical in a modern, digital business context," Richard said.

"It is right that EU policy makers are pushing for higher standards of data privacy protection when data reaches the US. However, it would be wrong for data protection authorities to view any failure by them to agree 'safe harbour 2.0' imminently as a green light to burden businesses that try to do what is right and that have regard for privacy with major restrictions on day-to-day operations at this time," she said.

Reuters has separately reported that the passage into law of the proposed Judicial Redress Act in the US has been delayed. The Act would give EU citizens a right to judicial redress in the US where their data is misused by US agencies.

In September last year EU and US officials agreed a new 'umbrella agreement' on data protection which sets out a range of privacy "protections" to data that is exchanged between law enforcement agencies in the EU and US. That agreement does not of itself provide a lawful authority for the transfer of the data to the US from the EU. At the time the new agreement was announced, however, EU justice commissioner Věra Jourová confirmed that the new agreement would not come into effect until the Judicial Redress Act was adopted by US law makers.

In its October ruling the CJEU raised concerns about the access US authorities have to the personal data transferred from the EU and the lack of rights to judicial redress EU citizens have in the US when their data is mishandled.