The United States and Europe have three months to work out a procedure for the transfer of personal data to the US from the EU, representatives of an independent advisory body that brings together data protection regulators from the EU’s member states announced on Saturday.
The announcement, by the EU’s Article 29 Working Party, gives guidance to businesses and other organizations that send data ranging from posts on social media to personnel records across the Atlantic following a ruling in October by the European Court of Justice (ECJ) invalidating a so-called safe harbor that had governed such transfers since 2000.
The ruling by the ECJ highlighted the cross-border flow of data and raised anew questions about the protections for privacy in a digital economy. It also upended the expectations of more than 4,000 companies, including tech giants such as Facebook, Amazon, and Google, that had certified compliance with the safe harbor to relay data from Europe to the US.
The statement by the Article 29 Working Group aim to allay fears by companies that the ECJ’s ruling might spur regulators in Europe to bring enforcement actions against companies for mishandling data transfers. In the meantime, companies can use contracts to assure privacy safeguards or adopt rules that protect the privacy of data transfers among corporate subsidiaries.
Officials on both sides of the Atlantic also say they will continue negotiations on a pact that can replace the safe harbor. If the sides cannot agree by the end of January, regulators in each of the EU’s member states will “take all necessary and appropriate action, including coordinated enforcement actions,” the Working Party said in its statement.
“Transfers of personal data are an essential element of the transatlantic relationship,” the group added. “The EU and the US are each other’s most important trading partners, and data transfers, increasingly, form an integral part of their commercial exchanges.”
The safe harbor reconciled differences in privacy protection between the US and EU, which holds that citizens have a fundamental right to privacy with respect to the processing of their data. The US regulates privacy by sector but lacks a national scheme.
The ECJ nullified the safe harbor as part of its resolution of a referral from Ireland’s high court, which had referred the matter to the ECJ following a ruling by the republic’s data protection commission (DPC) that the safe harbor preempted investigation of a claim an alleged violation.
The case began in June 2013, when Max Schrems, then a law student at the University of Vienna, filed a complaint with the DPC charging that Facebook, which maintains its European headquarters in Dublin, sent at least some of the information he and his fellow citizens of the EU posted on the site to servers the company operates in the United States.
Schrems premised his complaint on leaks by Edward Snowden, who documented how the National Security Agency obtained information about users from Facebook, Google, and other tech firms. The surveillance, Schrems asserted, contravened the EU’s protections for personal data.
The ECJ agreed. According to the court, the National Security Agency’s ability to compel tech firms to hand over electronic communications provided by their users “must be regarded as compromising the essence of the fundamental right to respect for private life.”
In January 2014, the Obama administration and tech companies announced a deal that allows the companies to disclose information about data they are required to share with the government