EU Upbeat on Safe Harbor, At Odds on Data Retention

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Dec. 3 — In an unusual public disagreement, European Union officials Dec. 3 conceded they were at odds over whether to propose new EU-level rules to replace the Data Retention Directive (2006/24/EC), which was ruled illegal by the European Court of Justice (ECJ) in April 2014.

Speaking at a briefing after a meeting of EU member state justice ministers, Vera Jourová, the European Commissioner for Justice, Consumers and Gender Equality, said that the commission—the EU's executive arm—had no intention of proposing a new data retention law, but EU countries were “free to retain their current data retention systems or set up new ones.” The calls for a new data retention rules come amid calls for stronger anti-terrorism measures.

Jourová also reported on negotiations to replace the U.S.-EU Safe Harbor, which the ECJ invalidated Oct. 6 (194 PRA 194, 10/7/15).

The invalidation of the Safe Harbor—which permitted transfers of personal data controlled in the EU to the U.S. on the basis that participants complied with principles similar to those in the EU Data Protection Directive (95/46/EC)—affected not only some 4,400 U.S. companies certified in the program but untold thousands of EU companies that relied on the certification to transfer personal data to those companies.

Jourová’s spokesman Christian Wigand told Bloomberg BNA Dec. 3 that the EU and U.S. have “agreed on concrete next steps in order to come to a conclusion before the end of January 2016.” EU data protection authorities have said that they will start to enforce the ECJ's invalidation of Safe Harbor and could suspend transatlantic data transfers unless a replacement mechanism is in place by the end of January 2016.

Jourová will go to the European Parliament's Civil Liberties, Justice and Home Affairs Committee Dec. 10 to give a public report-back on the Safe Harbor negotiations, Wigand said.

Luxembourg Expresses Disagreement

Felix Braz, the justice minister of Luxembourg, speaking at the same briefing, said “we do not agree on that point,” and the “discussion will for sure go on” because a majority of EU member states wanted a new EU data retention law.

Luxembourg currently holds the rotating presidency of the Council of the EU, which represents the governments of member states. Ahead of the justice ministers' meeting, Luxembourg said it would ask ministers to consider a new EU-level data retention initiative because without EU harmonization, prosecution of cross-border crimes and terrorism could be made more difficult (229 PRA, 11/30/15).

The Data Retention Directive required telecommunications companies and Internet service providers to retain, for up to two years, certain user personal data and communications data and provide it to law enforcement authorities if requested. It was invalidated by the ECJ on the grounds that blanket data retention requirements violated privacy rights (68 PRA, 4/9/14).

Waiting for Another Ruling

Braz said that when Luxembourg asked other countries to consider a new data retention law, “the answers were not unanimous, but we have a large majority favoring a common European answer.”

He added that some justice ministers wanted to wait for the outcome of a data retention case before the EU Court of Justice.

The Stockholm Administrative Appeals Court, Sweden, asked the ECJ in May 2015 for a preliminary ruling in a case concerning Swedish telecommunications company Tele2 Sverige AB.

After the ECJ's cancelation of the Data Retention Directive, Tele2 said it would delete the customer data that it had been required to store under the Swedish law implementing the directive, but a Stockholm court found that the Swedish government could continue to require data retention. Tele2 appealed the ruling and the case was referred to the ECJ (64 PRA, 4/3/15).

Braz said the ECJ could rule in the case during 2016, at which point some EU countries would decide whether or not to back new a EU-level data retention law.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Jimmy H. Koo at

Request Bloomberg Law: Privacy & Data Security