US must make 'additional effort' on Safe Harbor, EU Commissioner says

The EU wants more legal concessions before allowing U.S. companies to process Europeans' personal data

The European Commission has outlined the areas in which it wants further concessions from the U.S. before a new Safe Harbor agreement on trans-Atlantic data transfers can be reached.

"We are close, but an additional effort is needed," European Commissioner for Justice Vĕra Jourová said Monday evening. There is still a need for binding commitments from the U.S. government, with additional safeguards on access to Europeans' data by U.S. public authorities and independent oversight in the area of national security, she said.

The original Safe Harbor agreement, under which businesses transferred the personal information of European Union citizens to the U.S. for storage and processing, was invalidated by the Court of Justice of the EU last year.

The agreement was important because the EU's 20-year-old Data Protection Directive forbids the export of citizens' personal information unless it benefits from the same privacy protections abroad as at home. U.S. law alone doesn't meet that requirement, but if companies also complied with the rules of the Safe Harbor framework, then the protection provided was adequate, the Commission decided in July 2000.

Last October, the court ruled that the framework was inadequate, calling into question the legality of many companies' data processing operations.

European data protection authorities gave the Commission and U.S. officials three months to come up with a new agreement before they started auditing companies' compliance with alternative mechanisms for authorizing data transfers, and that time is fast running out.

The new framework has to fully respect the requirements of the court ruling so that any new adequacy decision can withstand legal challenge, Jourová told the European Parliament's Committee on Civil Liberties, Justice and Home Affairs.

That gives the Commission little scope to make concessions of its own: The Court of Justice has set out the conditions on which U.S. data-processing companies can seek business from their European counterparts, leaving the Commission and the U.S. government to agree on how U.S. law can meet those conditions.

"It is not an easy task to build a strong bridge between two legal systems which have some major differences," Jourová said.

The original Safe Harbor deal sought to patch those differences with a voluntary agreement binding only on the companies that signed up to it, a failing pointed out by the court. The Commission's new approach is to seek fundamental changes in U.S. law or assurances that are binding on U.S. authorities, too.

The court's ruling also threw into question the alternative mechanisms that some companies have chosen to ensure they comply with European law. The changes the Commission is seeking now should help to protect data transferred under those mechanisms, too.

Jourová highlighted four areas where there were still obstacles to an agreement.

First, there is a need for further safeguards against access to Europeans' personal data by U.S. public authorities.

"The U.S. framework has evolved since the Snowden revelations," she said. The insights former U.S. National Security Agency contractor Edward Snowden's leaks provided into the agency's operations triggered the court case that ended the Safe Harbor agreement.

There have already been important reforms that introduced stronger oversight and more transparency, she said, but the Commission is still waiting for written assurances that there will be no indiscriminate mass surveillance and that U.S. authorities' access to Europeans' personal data will be limited to what is necessary and proportionate. These assurances will be reviewed

Second, she said, there must be independent oversight of government access to data, and the possibility for individual redress, even in cases involving the intelligence services. The U.S. Senate has not yet voted on the Judicial Redress Act, which goes some way towards this, although the House of Representatives has already approved the bill.

While the Judicial Redress Act provides that EU citizens will have the same right to redress as U.S. citizens through the courts, Jourová hinted that this may not be sufficient. In the case of complaints about the intelligence services, "This could be done by an ombudsperson with a real capacity to act, which would give a response to individual complaints," she said, according to a transcript of her speech.

In the third area, settling complaints about privacy violations by companies, a number of mechanisms have already been agreed. First, a company can try to resolve the problem itself. If that doesn't work, there is an alternative dispute resolution service. Finally, the U.S. Department of Commerce or the U.S. Federal Trade Commission could take it up. European data protection authorities will be able to channel complaints to those agencies.

These mechanisms might still leave some complaints unresolved. That's a problem, because the EU's Charter of Fundamental Rights says citizens have the right to a legal remedy, Jourová said.

"Therefore, we are working on a 'last resort' mechanism to ensure that all complaints are resolved through a binding and enforceable decision."

The fourth stumbling block is the need for commitments from the U.S. that are formal and binding, Jourová said. Since this is not a treaty but simply an exchange of letters, "We need signatures at the highest political level and publication of the commitments in the Federal Register," she said.

Work on those four points continued, with intensive discussions through the weekend, she said. "Negotiations are still ongoing, including at the political level."

Jourová planned to speak with U.S. Commerce Secretary Penny Pritzker later Monday and will discuss progress with her fellow European Commissioners on Tuesday afternoon.

Europe's data protection authorities are holding their own meeting on Tuesday. On Wednesday, they will publish their evaluation of the effect of recent changes in U.S. law on the alternatives mechanisms for trans-Atlantic data transfer.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Safe Harbor

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?