European privacy regulators have given the European Commission and United States three months to come up with a new privacy system enabling them to shuffle data across the Atlantic.
The highest EU court struck down the Safe Harbour rules used by over 4,000 firms to transfer personal data to the United States.
Under EU data protection law, companies cannot transfer EU citizens’ personal data to countries outside the EU deemed to have insufficient privacy safeguards.
The court decided that the US with its history of spying on the EU and court orders demanding its citizens hand over European data was not safe.
The EU watchdogs issued a statement over the weekend saying that: “If by the end of January 2016, no appropriate solution is found with the U.S. authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
However it is a bit tricky. The Commission and the United States have been in talks for two years to reform Safe Harbour after Edward Snowden revealed the existence of mass US government surveillance programs.
Talks have been hampered by the difficulty of extracting sufficient guarantees by the fact that the US believes that it rules the world and can do what it likes.
The regulators said in their statement the EU and the United States should negotiate an “intergovernmental agreement” providing stronger privacy guarantees to EU citizens, including oversight on government access to data and legal redress mechanisms.
Multinationals can set up internal privacy rules which have to be approved by regulators to transfer data to the United States, known as binding corporate rules. However, only about 70 companies currently use this system.
Lawyers have said alternative data transfer systems could also be at risk to legal challenge since they do not provide stronger protection against US government snooping than Safe Harbour did.