The European Commission has sought to calm fears that the ‘Safe Harbour’ ruling by the region’s top court yesterday could halt transatlantic data flows, claiming it would provide clear guidance on workarounds and aim to renegotiate the agreement in light of the decision.
The European Court of Justice’s landmark ruling on Tuesday effectively invalidated the Safe Harbour agreement between the US and Europe. For the past 15 years it has enabled data on European citizens to be stored in the US despite the fact the latter’s data protection regime doesn’t meet Europe’s more exacting standards.
Commentators fear that it could have widespread repercussions on US cloud computing providers and European customers who outsource various IT functions to providers with US data centers – adding unwanted extra cost and complexity.
However, the European Commission’s first vice-president Frans Timmermans and commissioner Vera Jourová cut a more conciliatory path during a press conference following the announcement.
Although they recognized the ruling was an important step towards upholding European citizens’ rights to data protection, Timmermans claimed that it also provided confirmation of the Commission’s approach for renegotiating the Safe Harbour agreement.
“We have already been working with the American authorities to make data transfers safer for European citizens. In the light of the ruling, we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic,” he said in a statement.
“In the meantime, transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under EU data protection law.”
Commissioner Jourová added that following the Edward Snowden revelations of the NSA’s PRISM scheme in 2013 – which first spurred law student Max Schrems to complain about his Facebook data – the Commission had already identified shortcomings and recommended 13 steps to make Safe Harbour safer.
“And we have made important progress that we can now build on in light of the judgment,” she added.
“Our aim is to step up discussions with the US towards a renewed and safe framework for the transfer of personal data across the Atlantic.”
In the meantime, there are other mechanisms which can ensure the safe international transfer of personal data, including “standard data protection clauses in contracts between companies exchanging data across the Atlantic or binding corporate rules for transfers within a corporate group.”
There are also various ‘derogations’ which allow data transfer, including if it is in the vital interest of the subject, in the public interest, or if it has the “free and informed consent of the individual,” she said.
“We will work together with the national data protection authorities to ensure a coordinated response on alternative ways to transfer data,” she reassured. “This is important for European businesses.”
The United States government’s response was notably spiky.
“We are deeply disappointed in today’s decision from the European Court of Justice, which creates significant uncertainty for both US and EU companies and consumers, and puts at risk the thriving transatlantic digital economy,” said commerce secretary, Penny Pritzker, in a statement.
“Among other things, the decision does not credit the benefits to privacy and growth that have been afforded by this framework over the last 15 years.”
Pritzker also argued that the court’s decision had made the renegotiation of the Safe Harbour agreement a necessity “as soon as possible.”