European data protection authorities will gather in Brussels on Feb. 2, 2016 to find a common position on which legal channels companies can use to shuffle personal data across the Atlantic after the simplest system, known as Safe Harbour, was quashed by the top EU court due to concerns about US snooping.
The 15-year-old Safe Harbour framework used by over 4,000 firms to transfer Europeans data to the US was declared invalid by the European Court of Justice (ECJ) on Oct. 6 because the court found US national security requirements trumped privacy safeguards. This meant that the data were not adequately protected.
Under EU data protection law, companies cannot transfer EU citizens personal data to countries outside the EU deemed to have insufficient privacy safeguards, of which the US is one.
As Washington and Brussels stepped up discussions on a new pact, EU data protection authorities gave businesses a three-month grace period in which they could set up alternative legal systems to transfer data across the Atlantic. These would cover binding corporate rules within multinationals, model clauses between companies or requests to people for their consent.
EU data protection authorities also urged the US and EU to agree a new data transfer framework in the same period, failing which they could start taking enforcement action against companies if they decided that alternatives such as model clauses offered no greater protection against US snooping than the old Safe Harbour did.
The US submitted a package of proposals on a new Safe Harbour deal. If acceptable to the EU, a new framework could be submitted for approval by all 28 EU commissioners on Feb. 2 to coincide with the regulators meeting, the person said. However, further details may need to be ironed out after that.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now