Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Oct. 29 —Companies affected by the invalidation of the U.S.-EU Safe Harbor Program shouldn't wait for further guidance from regulators, but instead take steps to reduce their exposure to possible enforcement action over data transfers from the European Union to the U.S., data protection officials said at the 37th International Conference of Data Protection and Privacy Commissioners Oct. 29.
Indicating that companies shouldn't expect a quick solution to the problems created by the European Court of Justice's invalidation of Safe Harbor, EU data protection officials said they were under an obligation to enforce the Oct. 6 ECJ ruling.
Isabelle Falque-Pierrotin, head of the French data protection authority and chairwoman of the Article 29 Working Party of EU data protection officials said Oct. 29 that affected companies should “reflect on the ways you are organizing your data flows to cope with the new legal environment.”
EU privacy regulators are “bound by the decision of our supreme court,” and the point will come “when we have to act,” Falque-Pierrotin said.
Jacob Kohnstamm, chair of the Dutch DPA, told Bloomberg BNA Oct. 29 that companies which previously relied on Safe Harbor for their transfers to the U.S. from the European Economic Area should “prepare for the worst,” including a possible ban on data transfers.
The ECJ invalidated Safe Harbor on the basis that it didn't offer adequate safeguards against access to the data of EU citizens by U.S. law enforcement agencies, and didn't provide EU citizens with sufficient rights of redress in case of data privacy violations in the U.S.
The Article 29 Working Party Oct. 16 said they would hold off enforcement of the ECJ ruling until the end of January 2016, to give EU and U.S. authorities time to agree on a replacement mechanism for Safe Harbor.
Officials at the 37th International Conference of Data Protection and Privacy Commissioners didn't give any clear signal that they expected an agreement by the end of January, although U.S. Federal Trade Commission head Edith Ramirez said she was “optimistic” that the EU and U.S. would ultimately bridge differences over privacy protection.
“There continues to be a fundamental lack of understanding of each other's systems,” she said.
During its 15-year lifespan, Safe Harbor became “absolutely significant” for data transfers from the EU to the U.S. and the impact of its invalidation “cannot be overstated” and had “truly sent shockwaves in the U.S.,” she said.
“The current situation we are in is untenable,” and U.S. authorities are “committed to working very closely” with EU DPAs and the European Commission “to find an effective solution,” Ramirez said.
Over 4,400 U.S. companies were participating in the Safe Harbor when it was invalidated.
Falque-Pierrotin said companies shouldn't wait for guidance from the privacy authorities because companies have a “shared responsibility” to ensure that their data transfers were done legally.
The Article 29 Working Party had highlighted “repeatedly” that treatment of the personal data of EU citizens in the U.S. was “not coherent with our Charter of Fundamental Rights,” she said.
The EU and U.S. authorities had to “solve the question of the guarantees” of data privacy that the ECJ had requested, Falque-Pierrotin said.
The invalidation of Safe Harbor offers the possibility of a “huge step forward” if it leads to an understanding of “what type of standard guarantees we want in situations when personal data is accessed by the authorities in one country,” Falque-Pierrotin said.
Joe Cannataci, a professor at the University of Malta, who was appointed in March as the United Nations Human Rights Council Special Rapporteur on privacy, said that the free flow of data across borders for economic benefits raises the issue of the need for “safeguards without borders and remedies without borders.”
In the longer term, use of encryption to protect data “may bring governments to the table” to discuss common approaches to access to personal data for law enforcement purposes, because encryption makes mass electronic surveillance “useless,” Cannataci said.
To contact the reporter on this story: Stephen Gardner in Brussels at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)