European Commissioner for Justice and Consumers Vĕra Jourová addresses a news conference in Brussels about transatlantic data transfers on Nov. 6, 2015. Credit: European Union
The European Union put the onus firmly on the U.S. to make the next move in negotiating a replacement for the now-defunct Safe Harbor Agreement on privacy protection for transatlantic personal data transfers.
"We need a new transatlantic framework for data transfers," said Vĕra Jourová, the European Commissioner for Justice and Consumers, emphasizing the urgency of the situation. However, she said at a news conference in Brussels on Friday, "It is now for the U.S. to come back with their answers."
EU law requires that companies guarantee the same privacy protection for the personal information of EU citizens that they hold, wherever in the world they process it.
The Safe Harbor Agreement was a simple mechanism by which companies could offer that guarantee. Reached between the European Commission and the U.S. in 2000, it allowed U.S. companies to certify that they followed EU privacy rules -- but it was struck down by the Court of Justice of the EU on Oct. 6 for not providing sufficient legal safeguards.
On Friday, the Commission published a new guide for businesses looking for ways to legally export personal information to the U.S., post Safe Harbor. However, it does little more than repeat the advice the Commission gave on the day of the court's ruling.
"Until such time as the renewed transatlantic framework is in place, companies need to rely on the alternative transfer tools available," the guide says.
Jourová recognized that won't always be easy: "Companies face some limitations when relying on alternative tools."
Safe Harbor was simple for European companies to implement, as all they had to do was contract with a U.S. data processor registered under the agreement. It was the responsibility of the U.S. company to ensure compliance.
The alternative mechanisms provided for in the EU's 1995 Data Protection Directive -- standard contract clauses, binding corporate rules, or obtaining the informed consent of the person whose data is transferred -- put the responsibility squarely on the company at the origin of the transfer.
"Whatever they choose, they must be able to prove that the protection is in place, that they guarantee the protection of data transferred to the U.S. This is especially a challenge for SMEs," Jourová said.
Her colleague Andrus Ansip, European Commissioner for the Digital Single Market, pointed out that the use of these tools is nothing new: Many companies began complying with the directive's requirements in the five years before Safe Harbor was introduced.
Sign up for CIO Asia eNewsletters.