In a recent speech in the US, Věra Jourová – EU Commissioner for Justice, Consumers and Gender Equality – set out the progress that has been made towards an agreement for EU-US data transfers.
Speaking at the Brookings Institution last month, Commissioner Jourová stated that she is confident that agreement will be reached by January 2016. In particular, the Commissioner cited the following reasons for optimism:
- recent guidelines issued by the Court of Justice of the European Union ('CJEU') in its Schrems judgment;
- the advanced state of negotiations between the US and EU, which started in January 2014;
- the fact that agreement is in the best interests of EU and US citizens; and
- the strong political commitment by decision makers on both sides of the Atlantic to make progress.
Long term solution needed
Commissioner Jourová expressed the view that, since the CJEU found Safe Harbor invalid, existing alternative methods of transferring data from the EU to the US "are a short-term solution". It is likely that the Commissioner was referring to EU Commission-approved standard contractual clauses and derogations existing under the Data Protection Directive (such as consent and contractual necessity).
Commenting on the Schrems decision, Commissioner Jourová made it very plain that the message the European Commission has received is that "where personal data travels, the protection has to travel with it".
Commissioner Jourová specifically sought to dispel some myths and misunderstandings that the Commission believes have arisen since the Schrems decision was delivered:
- The CJEU did not make any judgment about the state of the US legal system. Rather, the court stated that, to enable EU/US transfers of personal data, the US has to offer safeguards which are "globally equivalent" to the safeguards enjoyed by EU citizens.
- The Commission, alongside the various national EU data protection authorities, has sought to ensure uniform application of the Schrems ruling across the EU. The Commission is keen to highlight that EU data protection law has not become unduly fragmented.
- The Commission is still empowered to make decisions about whether a third country outside the European Economic Area has adequate safeguards in place to allow the transfer of EU personal data. Only the CJEU can invalidate any such adequacy decision.
While observers may question whether EU data protection law has become fragmented, it is clear that the Commission is aware of the practical consequences of Schrems for international businesses and is seeking to provide assurances.
A lot done, more to do?
Commissioner Jourová also went to lengths to highlight the changes that have already been made as a result of the US government's engagement with the EU Commission since January 2014:
- There is now stronger oversight by the US Department of Commerce and greater cooperation between European data protection authorities and the Federal Trade Commission.
- Work is being undertaken to put in place an annual joint review mechanism. This will cover all aspects of the functioning of any new agreed data transfer framework and will involve relevant authorities from both the EU and the US.
- With the passing of the Judicial Redress Bill by the Senate, the US is moving towards providing EU citizens with the ability to assert privacy claims against the US government. President Obama has also recently directed that American intelligence agencies must have regard to the privacy rights of non-Americans.
It remains to be seen if the Commissioner's confidence will be reflected in agreement between the parties by January 2016. What is clear from Commissioner Jourová's speech, however, is that there are intensive efforts behind the scenes by both the EU and US to resolve the difficulties which have arisen as a result of Safe Harbor.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.