Time is running out for Europe and the US to agree a new 'Safe Harbor' scheme to transfer private consumer data

Advertisement

mark zuckerberg angry unhappy speaking

REUTERS/Jonathan Ernst

Facebook CEO Mark Zuckerberg.

Time is running out for negotiators working on a new transatlantic data transfer scheme between the European Union and the US ahead of a Tuesday deadline.

Advertisement

They're working to build a replacement to "Safe Harbor," a mechanism for companies to legally transfer personal data that was struck down by Europe's highest court three months ago over fears of US government spying.

Failing to reach an agreement could leave the thousands of companies that send data between the EU and the US in limbo, and at risk of legal action from individuals and national regulators in Europe on the grounds that the US does not offer adequate protections for personal data.

Safe Harbor was abruptly invalidated by the European Court of Justice (ECJ) in October 2015. Max Schrems, an Austrian law student privacy activist, had brought a case against Facebook in Ireland (its European headquarters) over US mass surveillance. Schrems argued that NSA spying meant that companies storing Europeans' data in the US could not sufficiently protect it. The Irish courts said they were powerless to act because of Safe Harbor - and so Schrems appealed to the ECJ, which invalidated the data transfer scheme altogether.

This has left US and EU negotiators desperately trying to build a new legal mechanism to legitimize transatlantic data transfers. Alternatives do exist - such as using pre-written "model clauses" that can be inserted into contracts, and obtaining the consent of the data subjects - but none are as straightforward as Safe Harbor was.

Advertisement

Negotiators have already missed one deadline set by Europe's privacy regulators, on Sunday night, The New York Times reports. They're now working to hammer something out tomorrow before the Article 29 working party meets this week.

So what happens if negotiators fail to come to an agreement - or if the working party rejects the proposals?

"We may see enforcement actions against companies that are still relying on Safe Harbor as the only basis for legitimizing their transfers of personal data to the US," privacy lawyer Susan Foster from law firm Mintz Levin told Business Insider. "It's likely that the initial targets would by US-headquartered companies, but European companies could be targets too. This is particularly a risk for European companies who want to transfer personal data to data processors in the US."

We should expect to see legal action almost immediately if a deal isn't reached, Foster says - initially focused at high-profile companies. "Will we see enforcement action immediately if no new Safe Harbor is reached this week? I think we are likely to see a few high-profile investigations pretty quickly. However, data protection authorities don't have unlimited resources, so initial investigations will probably be driven either by complaints from individuals, such as Maximillian Schrems' continuing complaints against Facebook, or other large targets that will generate a lot of publicity in return for a relatively small investment in enforcement funds."

NOW WATCH: This snooze-proof alarm is so genius it might make you a morning person