Senior European officials have insisted that business on the continent is not about to be plunged into chaos after Europe’s highest court voted to revoke a crucial agreement for sharing data between the US and the EU.
Speaking at a press conference in Strasbourg on Tuesday afternoon, European Commission vice president Frans Timmerman and European Commission member in charge of justice, consumers, and gender equality Věra Journová said that Europe is seeking to ensure legal certainty for companies in light of the ruling by the European Court of Justice (ECJ) that the 2000 Safe Harbour decision is “invalid.”
Max Schrems, an Austrian privacy activist and former student, had taken legal action against Facebook in light of the NSA spying revelations in Ireland over alleged privacy violations. The Irish data protection office rejected Schrems’ case on the basis that it did not have legal authority to tackle it due to the Safe Harbour agreement legitimising the transfer of data from Europe to the US by American companies.
Schrems subsequently appealed, and the ECJ ultimately ruled that Safe Harbour is not a valid legal basis for data transfer. Around 4,500 companies make use of Safe Harbour.
Timmerman and Journová told assembled European journalists that the European Commission has three priorities: Ensuring EU citizens’ data is protected adequately, the continuation of transatlantic data flow, and a uniform response across Europe.
Journová said that a “coordinated response” would be “important” for businesses operating in Europe, and that the Commission will be issuing guidance to national data protection authorities in the weeks ahead. The aim is to have one unified set of policies implemented across Europe (as Safe Harbour was), and to avoid what Timmerman characterised as “a patchwork of potentially contradictory rulings.”
Such guidance will, the European Commission argues, provide “legal certainty” to businesses looking to operate in Europe.
As it stands, there is the risk that different governments and national data regulators will take very different approaches to data protection — forcing American companies seeking to do business in Europe to adapt to dozens of different regulatory environments. It’d be a chaotic, bureaucratic nightmare.
There’s even the risk that a country could demand that a company must store all data held on its citizens within the country — as is currently the case in Russia following the introduction of a new data law.
Since the Snowden revelations, the EU and the US has been negotiating a new basis for transfer of data that alleviates EU concerns over American spying on European citizens. Journová said in response to a question that she had “wanted to finalise the negotiations before summer, but I found out we need more time for the national security items.” She declined to give “any concrete day” for its finalisation.
In the absence of any “safer safe harbour” there are other mechanisms to legitimise the transfer of data between Europe and America, although none are as straight-forward as Safe Harbour. This includes via model clauses for contracts pre-approved by the EU, and by obtaining the informed consent of the data subjects.