The European Commissioner for Justice, Consumers and Gender Equality, Vĕra Jourová, attended a session of the European Parliament in Strasbourg on January 19, 2016. Credit: © European Union, 2016
The European Commission has outlined the areas in which it wants further concessions from the U.S. before a new Safe Harbor agreement on trans-Atlantic data transfers can be reached.
"We are close, but an additional effort is needed," European Commissioner for Justice Vĕra Jourová said Monday evening. There is still a need for binding commitments from the U.S. government, with additional safeguards on access to Europeans' data by U.S. public authorities and independent oversight in the area of national security, she said.
The original Safe Harbor agreement, under which businesses transferred the personal information of European Union citizens to the U.S. for storage and processing, was invalidated by the Court of Justice of the EU last year.
The agreement was important because the EU's 20-year-old Data Protection Directive forbids the export of citizens' personal information unless it benefits from the same privacy protections abroad as at home. U.S. law alone doesn't meet that requirement, but if companies also complied with the rules of the Safe Harbor framework, then the protection provided was adequate, the Commission decided in July 2000.
Last October, the court ruled that the framework was inadequate, calling into question the legality of many companies' data processing operations.
European data protection authorities gave the Commission and U.S. officials three months to come up with a new agreement before they started auditing companies' compliance with alternative mechanisms for authorizing data transfers, and that time is fast running out.
The new framework has to fully respect the requirements of the court ruling so that any new adequacy decision can withstand legal challenge, Jourová told the European Parliament's Committee on Civil Liberties, Justice and Home Affairs.
That gives the Commission little scope to make concessions of its own: The Court of Justice has set out the conditions on which U.S. data-processing companies can seek business from their European counterparts, leaving the Commission and the U.S. government to agree on how U.S. law can meet those conditions.
"It is not an easy task to build a strong bridge between two legal systems which have some major differences," Jourová said.
The original Safe Harbor deal sought to patch those differences with a voluntary agreement binding only on the companies that signed up to it, a failing pointed out by the court. The Commission's new approach is to seek fundamental changes in U.S. law or assurances that are binding on U.S. authorities, too.
Sign up for CIO Asia eNewsletters.