An influential group of Europe’s data protection authorities has warned that US and EU negotiators have until the end of January to agree on a new system to allow Europeans' data to be transferred across the Atlantic, or risk enforcement action.
The Article 29 Working Party stated in a strongly worded letter on Friday that it is “absolutely essential to have a robust, collective and common position on the implementation of the [European Court of Justice] judgment.”
The CJEU stunned the tech world earlier this month when it ruled in favor of German law student Max Schrems, who complained that his Facebook data may not be safe in the US thanks to NSA snooping.
This effectively invalidated the 15-year Safe Harbor agreement protecting data transfers between the two regions.
The Working Party clarified that the question of “massive and indiscriminate” surveillance by the US authorities is at the heart of the ruling.
It urged US and EU negotiating teams to accelerate the process of finding “political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights.”
The two groups have been discussing a new Safe Harbor agreement for two years now, so this latest missive as well as the CJEU’s ruling should help speed things up – especially as any data transfers made under the old Safe Harbor have now been rendered “unlawful.”
Standard Contractual Clauses and Binding Corporate Rules can still be used to effect legal data transfers, although Europe’s data protection authorities reserve the right to investigate cases.
The letter added:
“If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
Thomas Boué, Head of Policy EMEA at anti-piracy pressure group BSA | The Software Alliance, criticized the Working Party for failing to provide more concrete guidance.
“At a time when companies are seeking much needed clarity, we are beyond disappointed that the Article 29 Working Party failed to embrace the opportunity to provide this necessary clarity to the nearly 5,000 data processors, and the hundreds of millions of customers who rely on their services, in both the EU and the United States,” he argued.
“The Working Party's call to action at all levels to seek solutions is indeed a necessary and urgently needed step, and we look forward to our continued work with US and European officials on these efforts.”