Safeguards Uncertainty Holds Up Safe Harbor 2.0 Deal

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Feb. 1 — An agreement between the U.S. and the European Union on a new data transfer framework to replace the invalidated Safe Harbor arrangement continues to stall over safeguards on law enforcement access to personal data and the exact form of redress mechanisms, the EU's top data protection official said Feb. 1.

To forestall enforcement action by EU data protection authorities, a replacement for Safe Harbor should have been in place Jan. 31, but U.S.-EU talks on the issue “have not been easy,” and “an additional effort is needed,” Vĕra Jourová, the European Commissioner for Justice, Consumers and Gender Equality, said.

Jourová was speaking in Strasbourg, France at a hearing of the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) committee.

If anything, the prospects of a swift agreement seemed to recede, as LIBE lawmakers questioned the legal status of guarantees on privacy safeguards that might be given by the U.S. in order to conclude a Safe Harbor replacement agreement, and whether those safeguards would satisfy the European Court of Justice.

Jörg Hladjk, counsel with Hunton & Williams LLP in Brussels, told Bloomberg BNA Feb. 1 that “the commission seems to be very afraid that any new agreement will end up in court again, so they will take the time they need to negotiate.”

The ECJ Oct. 6 invalidated the U.S.-EU Safe Harbor Program, which allowed U.S. companies to transfer EU citizens' data to the U.S. if they self-certified to the U.S. Department of Commerce their compliance with privacy principles similar to those contained in the EU Data Protection Directive (194 PRA 194, 10/7/15).

The invalidation of Safe Harbor affected some 4,400 U.S. companies certified in the program, and also impacted untold thousands of companies that relied on the certification to transfer personal data to those companies.

Four Major Points

Jourová said that the European Commission, the EU's executive arm, would have to be satisfied on four major points before it could adopt a new decision that would judge U.S. protections for personal data adequate, in the light of the Oct. 6 ECJ ruling.

She said that:

• the U.S. would have to provide assurances that law enforcement access to the personal data of EU citizens that had been transferred to the U.S. by companies would be “limited to what is necessary and proportionate” and that “there is no indiscriminate mass surveillance”;
• an independent ombudsman would have to be created that would be able to investigate complaints from EU citizens “if they fear that their personal information has been used in an unlawful way by U.S. authorities in the area of national security”;
• EU citizens should be able to resolve privacy complaints against companies through appropriate redress mechanisms, including “a last-resort mechanism” that could issue “a binding and enforceable decision,” if complaints couldn't be resolved by the companies concerned, by alternative dispute resolution mechanisms, by EU DPAs or by U.S. privacy authorities; and
• commitments by the U.S. should be “formal and binding,” which could be achieved through “signatures at highest political level and publication of the commitments in the Federal Register.”


Jourová added that any new arrangement would have to be regularly monitored, and that “there will be a clear suspension clause” if the new arrangement was seen to be failing to protect the privacy of EU citizens.

Ongoing Negotiations

Jourová said that U.S.-EU negotiations were “still ongoing, including at the political level.” She didn't give a forecast of when talks might conclude.

EU DPAs represented in the Article 29 Working Party said in October 2015 that unless an arrangement to replace Safe Harbor was in place by Jan. 31, they would start to enforce the ECJ's decision, including by possibly blocking transatlantic data transfers.

The Art. 29 Working Party will meet Feb. 2-3 and has also said it will provide Feb. 3 results of an assessment of whether alternative mechanisms for data transfer from the EU to the U.S., such as binding corporate rules and standard contractual clauses, remain valid in light of the ECJ ruling that invalidated Safe Harbor.

Lawmakers' Objections

LIBE lawmakers Feb. 1 questioned whether the safeguards envisioned by the commission to check law enforcement and national security access to the personal data of EU citizens would be accepted by the ECJ.

Dutch Liberal lawmaker Sophie in ’t Veld asked, “I wonder what the actual legal status is of the commitments we get from the U.S.”

It seemed unlikely that an ombudsman would be able to question access to data by U.S. security agencies, and the legal status of U.S. commitments guaranteed by high-level signatures would be uncertain, in ’t Veld said.

Juan Fernando López Aguilar, a Spanish center-left lawmaker, said that rather than the replacement for Safe Harbor being based on a change in U.S. law to guarantee privacy rights that were “essentially equivalent” to EU rights, “we're talking about an exchange of letters with a presidency that is a lame duck presidency.”

Jourová said that the commission would require the ombudsman on law enforcement access to data to be “very high in the hierarchy” of the U.S. administration, and that “we're asking the U.S. partners for the strongest possible form of legally-binding commitments,” which would be “signed by the highest possible person,” and “taken by our side as legally binding.”

The EU would have no other choice than to “expect continuity” of the commitments under a new U.S. administration, Jourová said.

Hladjk said “both sides have limited leeway to negotiate; it's basically fundamental rights and the ECJ decision versus the limited powers of the U.S. Department of Commerce to negotiate on national security issues.”

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Jimmy H. Koo at

Request Bloomberg Law Privacy and Data Security