Monday 16 September 2019

Safe Harbour: EU to clarify law whether firms can transfer data from US to US

Mike Schroepfer
Mike Schroepfer
Adrian Weckler

Adrian Weckler

The European Commission has sought to clear up the law on whether companies can transfer data from the EU to the US and has promised a new deal on the issue with the US within three months.

The move comes a month after the the European Court of Justice struck down the legal basis under which many companies send data between the EU and the US.

That legal tool, called the ‘Safe Harbour’ treaty, was found to be invalid due to US authorities snooping on EU citizens’ information.

Data privacy experts warn that unless the stops indiscriminately collecting EU citizens' data, any new treaty is likely to face difficulty with the European Court of Justice and national data protection authorities.

However, the European Commission today set out what it claims are alternative legal ways for companies like Facebook and Google to transfer its customers’ data across the Atlantic.

"We need an agreement with our US partners in the next three months,” said Andrus Ansip, EU vice-president for the digital single market.

“The Commission has been asked to take swift action and this is what we are doing. Today we provide clear guidelines and we commit to a clear timeframe to conclude current negotiations. The EU and the US are each other's most important trading partners. Data flows between our continents are essential for people and businesses. While alternative tools exist, a safer new Framework is the best solution to protect our citizens and cut red tape for businesses, especially start-ups".

The Commission said that companies could rely on:

- Contractual solutions: “contractual rules should obligations, such as security measures, information to the data subject, safeguards in case of transfer of sensitive data.” It also supplied examples of model standard contractual clauses on its website ( However, model contract clauses have been criticised by some data protection experts as being insufficient given the ECJ’s ruling.

- Binding Corporate Rules for intra-group transfers: “These allow personal data to move freely among the different branches of a worldwide corporation. They have to be authorised by the DPA in each Member State from which the multinational wishes to transfer data.”

The Commission said that derogations to the scheme include the conclusion or performance of a contract, the establishment, exercise or defence of legal claims and the “free and informed consent” of individuals.

“I have stepped up talks with the US towards a renewed and sound framework for transatlantic data flows and will continue these discussions in Washington next week,” said Vera Jourová, EU commissioner for justice. “Any new arrangement has to meet the requirements of the [European] Court ruling.”

Earlier this week, Facebook chief technology officer Mike Schroepfer told the Irish Independent that the proposition of invalidating data transfers between Europe and the US was technically confusing.

"One thing I'd ask you to consider is that the entire purpose of the product is to allow you to share what you want with your friends,” he said at the Web Summit. “You upload a photo and share it with your friends. Let's assume that one of your friends is American. In order for them to see that photo, we actually have to send it to them in America. They have to be able to access this data. So it's a global network where you can interchange this data and that's the entire purpose of the product.

“We're obviously following all of the regulations. And it's not just Facebook. This goes for email, everything. It's about sending data."

Asked about how Facebook would separate out data if a data protection agency ruling went against it, Mr Schroepfer said that it was unclear.

"I'm not exactly sure,” he said. “Because our product is specifically designed to send your data to somebody else. We'll see how this pans out.

Online Editors

Also in Business