US must make 'additional effort' on Safe Harbor, EU Commissioner says

The EU wants more legal concessions before allowing U.S. companies to process Europeans' personal data

The European Commission has outlined the areas in which it wants further concessions from the U.S. before a new Safe Harbor agreement on trans-Atlantic data transfers can be reached.

"We are close, but an additional effort is needed," European Commissioner for Justice Vĕra Jourová said Monday evening. There is still a need for binding commitments from the U.S. government, with additional safeguards on access to Europeans' data by U.S. public authorities and independent oversight in the area of national security, she said.

The original Safe Harbor agreement, under which businesses transferred the personal information of European Union citizens to the U.S. for storage and processing, was invalidated by the Court of Justice of the EU last year.

The agreement was important because the EU's 20-year-old Data Protection Directive forbids the export of citizens' personal information unless it benefits from the same privacy protections abroad as at home. U.S. law alone doesn't meet that requirement, but if companies also complied with the rules of the Safe Harbor framework, then the protection provided was adequate, the Commission decided in July 2000.

Last October, the court ruled that the framework was inadequate, calling into question the legality of many companies' data processing operations.

European data protection authorities gave the Commission and U.S. officials three months to come up with a new agreement before they started auditing companies' compliance with alternative mechanisms for authorizing data transfers, and that time is fast running out.

The new framework has to fully respect the requirements of the court ruling so that any new adequacy decision can withstand legal challenge, Jourová told the European Parliament's Committee on Civil Liberties, Justice and Home Affairs.

That gives the Commission little scope to make concessions of its own: The Court of Justice has set out the conditions on which U.S. data-processing companies can seek business from their European counterparts, leaving the Commission and the U.S. government to agree on how U.S. law can meet those conditions.

"It is not an easy task to build a strong bridge between two legal systems which have some major differences," Jourová said.

The original Safe Harbor deal sought to patch those differences with a voluntary agreement binding only on the companies that signed up to it, a failing pointed out by the court. The Commission's new approach is to seek fundamental changes in U.S. law or assurances that are binding on U.S. authorities, too.

The court's ruling also threw into question the alternative mechanisms that some companies have chosen to ensure they comply with European law. The changes the Commission is seeking now should help to protect data transferred under those mechanisms, too.

Jourová highlighted four areas where there were still obstacles to an agreement.

First, there is a need for further safeguards against access to Europeans' personal data by U.S. public authorities.

"The U.S. framework has evolved since the Snowden revelations," she said. The insights former U.S. National Security Agency contractor Edward Snowden's leaks provided into the agency's operations triggered the court case that ended the Safe Harbor agreement.

There have already been important reforms that introduced stronger oversight and more transparency, she said, but the Commission is still waiting for written assurances that there will be no indiscriminate mass surveillance and that U.S. authorities' access to Europeans' personal data will be limited to what is necessary and proportionate. These assurances will be reviewed

Second, she said, there must be independent oversight of government access to data, and the possibility for individual redress, even in cases involving the intelligence services. The U.S. Senate has not yet voted on the Judicial Redress Act, which goes some way towards this, although the House of Representatives has already approved the bill.

While the Judicial Redress Act provides that EU citizens will have the same right to redress as U.S. citizens through the courts, Jourová hinted that this may not be sufficient. In the case of complaints about the intelligence services, "This could be done by an ombudsperson with a real capacity to act, which would give a response to individual complaints," she said, according to a transcript of her speech.

In the third area, settling complaints about privacy violations by companies, a number of mechanisms have already been agreed. First, a company can try to resolve the problem itself. If that doesn't work, there is an alternative dispute resolution service. Finally, the U.S. Department of Commerce or the U.S. Federal Trade Commission could take it up. European data protection authorities will be able to channel complaints to those agencies.

These mechanisms might still leave some complaints unresolved. That's a problem, because the EU's Charter of Fundamental Rights says citizens have the right to a legal remedy, Jourová said.

"Therefore, we are working on a 'last resort' mechanism to ensure that all complaints are resolved through a binding and enforceable decision."

The fourth stumbling block is the need for commitments from the U.S. that are formal and binding, Jourová said. Since this is not a treaty but simply an exchange of letters, "We need signatures at the highest political level and publication of the commitments in the Federal Register," she said.

Work on those four points continued, with intensive discussions through the weekend, she said. "Negotiations are still ongoing, including at the political level."

Jourová planned to speak with U.S. Commerce Secretary Penny Pritzker later Monday and will discuss progress with her fellow European Commissioners on Tuesday afternoon.

Europe's data protection authorities are holding their own meeting on Tuesday. On Wednesday, they will publish their evaluation of the effect of recent changes in U.S. law on the alternatives mechanisms for trans-Atlantic data transfer.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Safe Harbor

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?