Time is running out for Europe and the US to agree a new 'Safe Harbor' scheme to transfer private consumer data
REUTERS/Jonathan Ernst
They're working to build a replacement to "Safe Harbor," a mechanism for companies to legally transfer personal data that was struck down by Europe's highest court three months ago over fears of US government spying.
Failing to reach an agreement could leave the thousands of companies that send data between the EU and the US in limbo, and at risk of legal action from individuals and national regulators in Europe on the grounds that the US does not offer adequate protections for personal data.
Safe Harbor was abruptly invalidated by the European Court of Justice (ECJ) in October 2015. Max Schrems, an Austrian law student privacy activist, had brought a case against Facebook in Ireland (its European headquarters) over US mass surveillance. Schrems argued that NSA spying meant that companies storing Europeans' data in the US could not sufficiently protect it. The Irish courts said they were powerless to act because of Safe Harbor - and so Schrems appealed to the ECJ, which invalidated the data transfer scheme altogether.
This has left US and EU negotiators desperately trying to build a new legal mechanism to legitimize transatlantic data transfers. Alternatives do exist - such as using pre-written "model clauses" that can be inserted into contracts, and obtaining the consent of the data subjects - but none are as straightforward as Safe Harbor was.
Negotiators have already missed one deadline set by Europe's privacy regulators, on Sunday night, The New York Times reports. They're now working to hammer something out tomorrow before the Article 29 working party meets this week.
So what happens if negotiators fail to come to an agreement - or if the working party rejects the proposals?
"We may see enforcement actions against companies that are still relying on Safe Harbor as the only basis for legitimizing their transfers of personal data to the US," privacy lawyer Susan Foster from law firm Mintz Levin told Business Insider. "It's likely that the initial targets would by US-headquartered companies, but European companies could be targets too. This is particularly a risk for European companies who want to transfer personal data to data processors in the US."
We should expect to see legal action almost immediately if a deal isn't reached, Foster says - initially focused at high-profile companies. "Will we see enforcement action immediately if no new Safe Harbor is reached this week? I think we are likely to see a few high-profile investigations pretty quickly. However, data protection authorities don't have unlimited resources, so initial investigations will probably be driven either by complaints from individuals, such as Maximillian Schrems' continuing complaints against Facebook, or other large targets that will generate a lot of publicity in return for a relatively small investment in enforcement funds."
- I got a $40K raise using this 30-second strategy. It made me realize loud work, not hard work, always wins.
- Qatar Airways' new CEO explains why it's sticking with the Airbus A380 as other airlines retire the costly superjumbo
- Prince Harry and Meghan found out about Kate Middleton's cancer diagnosis on TV like everyone else, report says
- Fresh photographs of Milky Way’s black hole Sgr A* reveal strong, twisted magnetic field similar to M87*
- 8 Lesser-known places to explore in Himachal Pradesh
- Markets end FY24 on buoyant note amid positive global cues
- SRM Contractors IPO allotment – How to check allotment, GMP, listing date and more
- Rupee falls 6 paise to settle at 83.39 against US dollar