Out-Law News 2 min. read
02 Nov 2015, 3:22 pm
In a speech last week, EU justice commissioner Vera Jourová described the moves that are being taken to ensure that new privacy safeguards are built into 'Safe Harbour 2.0', as it has been dubbed in some quarters, to reflect the findings of an EU court ruling last month.
The Court of Justice of the EU (CJEU) ruled that the European Commission's decision in 2000 to recognise the current US safe harbour framework as providing for adequate data protection in line with the requirements of EU law was "invalid".
In its ruling the CJEU raised concerns about the access US authorities have to the transferred data and the lack of rights to judicial redress EU citizens have in the US when their data is mishandled.
EU and US officials are in the process of negotiating a new safe harbour agreement to help companies transfer personal data from the EU to the US in a way which is recognised as compliant with EU data protection standards.
Jourová said that the EU and US negotiators are "working hard ... to ensure that there are sufficient limitations and safeguards in place to prevent access or use of personal data on a 'generalised basis' and to ensure that there is sufficient judicial control over such activities".
She said that the US has committed to "supervision mechanisms" for data transfers made under Safe Harbour 2.0, such as "stronger oversight by the Department of Commerce (DoC), stronger cooperation with European DPAs and priority treatment of complaints by the Federal Trade Commission (FTC)".
Instead of being a "purely self-regulating" framework, Safe Harbour 2.0 will have a more pro-active and responsive "oversight system" and be backed up "by significant enforcement, including sanctions", Jourová said.
The commissioner said that the new safe harbour regime will be subject to annual review, and that the Commission wants EU data protection authorities "to have a more active and visible role in the system than previously was the case".
"For instance, we have worked on improving the interface and communication channels between DPAs and the DoC," Jourová said. "The DPAs will also have a role to play in the review of the functioning of the system."
Jourová also promised businesses that the Commission would set out new "guidance on international data transfers" in light of the CJEU's judgment. She said, though, that its work "cannot – and must not – replace the work of the data protection authorities in upholding and enforcing data protection rules".
"The Commission will continue to support their work in ensuring that a uniform approach is taken in the framework of the Article 29 Working Party," Jourová said.
The Article 29 Working Party, which is made up of the 28 EU data protection authorities, is currently reviewing whether other mechanisms that facilitate data transfers provide for adequate data protection when used for transferring personal data from the EU to the US in light of the CJEU's ruling.
Some data protection authorities in Germany have indicated their appetite to probe companies' data transfer arrangements and to prohibit data transfers that rely entirely on the existing EU-US safe harbour framework as demonstrating the compliance of those transfers with EU data protection law requirements.
However, the UK's data protection watchdog, the Information Commissioner's Office, has told businesses not to panic in reaction to the CJEU's judgment. It has said it is "certainly not rushing" to use its enforcement powers against organisations in relation to US data transfers.
"Of course we’ll consider complaints from affected individuals, whatever transfer mechanism you’re relying on, but we’ll be sticking to our published enforcement criteria and not taking hurried action whilst there’s so much uncertainty around and solutions are still possible," deputy UK information commissioner David Smith said last week. "We can’t create legal certainty where there is none but we will continue to work with our European counterparts in an effort to ensure that, as far as possible, we’re all delivering a single and sensible message."