Data transfer law 'invalid' after EU court ruling

06 October 2015 | Alan Burkitt-Gray


Europe is trying to find a ‘safer safe harbour’ agreement with the US, says European Commissioner, so that 4,400 companies can have legal certainty about personal data flow.

The law which has governed data flows across the Atlantic came to a halt this morning and the European Commission is struggling to find new rules that determine how thousands of companies must handle personal information from now on.

The Commission — the executive arm of the 28-nation European Union, which has a population of 500 million — is saying that businesses will need legal certainty following a ruling by the EU’s Court of Justice.

The court said that the so-called "safe harbour" rule that has applied since 2000 was illegal.

"At the moment safe harbour is invalid," said European Commissioner Vera Jouróva at a press conference in Brussels hours after the court ruling. She said the ruling affected 4,400 companies that said they were voluntarily complying with European law even though they transferred personal data out of European jurisdiction to the US.

The Commission wants to ensure a unified approach across all 28 member states, said Jouróva, responding to concerns that an individual national authority can stop data transfers independently, potentially throwing international internet services, telecoms operators and cloud service providers into confusion.

"Safe harbour was a special arrangement. We want to have a new special arrangement because of the volume of data flowing across the Atlantic. At the moment safe harbour is invalid, but there are clear rules for the transfer of data. There are other mechanisms that will have to be applied."

The case was brought when Maximillian Schrems, an Austrian law graduate, argued that the Irish data protection commissioner was wrong to decide that it could not take action against Facebook for transferring personal data to the US under the safe harbour scheme.

Schrems’s case was against the Irish data protection authority because Ireland is where Facebook has its European headquarters.

At the centre of EU concerns is that data lodged in US data centres can be seen by the National Security Agency and other US intelligence agencies without European authorisation. "We don’t have any jurisdiction on American soil and we have to agree the national security points," said Jouróva.

The Commission is working on new European data protection laws, likely to be finalised in 2016 and enforced from 2018, but that process is separate from the court ruling and the end of safe harbour.

The elected European Parliament is talking about fines of up to €100 million or 5% of global turnover for breaches of the future law, though the Council of Ministers — which represents ministers from the member states’ governments — is suggesting up to €2 million or 2% of global turnover.

However the search for what Jouróva called "a safer safe harbour" will continue in parallel, though she is reluctant to offer a timescale. "I don’t want to be that brave to tell you any concrete date," she told the Brussels press conference.

European First Vice President Frans Timmermans said: "We have been working with the US to make data protection safer. In the meantime transfers can continue. Transatlantic data flows are important for our economy. We will come forward with clear guidance in the light of the ruling."

But there are three important needs, said Jouróva: to ensure greater data protection for EU citizens, to ensure data flows can continue, and to develop a coordinated response by all 28 national data protection authorities across the EU.

There are rules that can govern data flows until a new agreement is reached, she said, listing categories such as data that is transferred in the performance of a contract; cases such as the detection of fraud; and "free and informed consent of an individual", which might cover many social media uses.

"The Commission remains fully committed to data transfer across the Atlantic," said Jouróva.

However until safe harbour is replaced, there is no legal certainty for the many businesses that rely on the international transfer of personal data.