The European Union’s Commissioner for Justice, Věra Jourová, visited Washington DC last week to meet with US officials and discuss cross-border data transfers, including further negotiations on a revised Safe Harbor agreement. The original Safe Harbor framework that permitted transfers of personal data of European citizens to the United States was declared invalid by the Court of Justice of the European Union (“CJEU”) on October 6, 2015. The CJEU focused its decision on the fact that the Safe Harbor framework did not limit US law enforcement and national security authorities from accessing European personal data on a generalized basis (despite protestations from the US government that such a characterization was inaccurate).
While the CJEU declared the Safe Harbor framework to be invalid on October 6, the EU Commission has been negotiating with the US Department of Commerce on revisions to Safe Harbor for nearly two years. In late 2013, in the wake of Edward Snowden's revelations, the European Commission came forward with concerns with the Safe Harbor framework and published a list of 13 ways that the framework could be improved. Many of those improvements have been agreed to, and implemented, by the US government.
In mid-November, with the CJEU decision and the terrorist attacks in Paris looming large in the background, Commissioner Jourová reaffirmed her commitment to reach resolution on a new agreement before January 31, 2016. “I am confident that we will meet the deadline of January 2016 for a new agreement on international commercial data transfers,” she said during a speech at the Brookings Institute. She added that the deadline was achievable, in part, because of progress already made in the negotiations.
The January deadline was effectively set by the Article 29 Working Party, an independent advisory body composed of representatives from all the Data Protection Authorities (“DPAs”) in the member states. On October 16, this body announced that it would take all “necessary and appropriate actions,” including enforcement actions, after that date if no appropriate solution was found. The statement said that “the current negotiations around a new Safe Harbor could be a part of the solution.” It is important to note, however, that the DPAs are independent authorities and that any new Safe Harbor framework would be subject to close examination by each DPA, particularly in light of the October 6 CJEU decision that held that, as a procedural matter, the EU Commission cannot restrict individual DPAs from examining the adequacy of individual country data privacy regimes.
Following the October 6 CJEU decision, US companies have looked to other mechanisms for transatlantic data transfers available under EU data protection law, specifically the use of accepted Standard Contractual Clauses as well as Binding Corporate Rules. Commissioner Jourová made clear in her speech that such mechanisms are a “short-term solution” and that a new, comprehensive Safe Harbor agreement with strong privacy safeguards would be the best way to achieve effective protection of EU citizens’ data.
Commissioner Jourová’s emphasis on the importance of Safe Harbor and her confidence in achieving the January 31 deadline notwithstanding, important issues remain on the table. In reports issued in advance of and during her US visit, Commissioner Jourová elaborated on a number of details that might be included in a new Safe Harbor framework:
- Increased Oversight: Commissioner Jourová shared that the US Commerce Department has already committed to stronger oversight of companies and increased cooperation between the European Data Protection Authorities and the Federal Trade Commission (which has enforcement authority under the Safe Harbor framework). She shared that negotiators are discussing the details of an annual joint review mechanism, which could include “qualitative” reports from companies on requests they receive from US intelligence and law enforcement authorities to provide European citizens’ data.
- Passage of Judicial Redress Act: The EU Commission has long sought the same privacy rights and remedies for European citizens that US citizens have under the Privacy Act of 1974. The Judicial Redress Act (H.R. 1428), if signed into law, would extend many of those same rights under the Privacy Act to European citizens. The legislation passed the House, but has yet to come up for debate in the Judiciary Committee in the Senate. During her US visit, Commissioner Jourová met with US Congressional leaders to discuss the legislation. Passage of the Judicial Redress Act is also necessary for final adoption of the “Umbrella Agreement,” a tentative deal reached in September meant to provide a data protection framework for the exchange of transatlantic data shared between law enforcement authorities.
- US Intelligence Authorities: Surveillance issues have been at the center of the debate around Safe Harbor. Commissioner Jourová made clear during her visit that US intelligence and law enforcement authorities continue to be the biggest issue in the negotiations with the United States, and that a new Safe Harbor framework must fully satisfy the CJEU’s requirements. This is an area where we anticipate various independent DPAs to closely examine the new Safe Harbor framework pursuant to the October 6 CJEU decision.