EU and US fail to develop new Safe Harbour

The EU and US have failed to develop a new data sharing scheme to protect Europeans’ personal data from American snoopers following the demise of Safe Harbour last October.

Last year, the European Court of Justice ruled that the scheme, drawn up in 2000, was invalid. It was meant to allow for seamless transfer across the Atlantic but was abolished following European fears in the wake of the Snowden revelations.

“Work is still ongoing, we are not there yet, but the commission is working day and night on achieving a deal,” a European Commission spokesman said.

The safe harbour agreement was drawn up in 2000 to facilitate the seamless transfer of data across the Atlantic, but vanished overnight with the court decision after an outcry in Europe about the revelations of US whistleblower Edward Snowden.

Austrian law student Max Schrems complained about Facebook to the ECJ just before Mr Snowden revealed mass spying programmes of the US National Security Agency which routinely intercepted communications from a range of media.

Currently the US and EU are at odds over how to give EU citizens redress and how to monitor any new agreement.

Ashley Winton, Partner and UK head of data protection and privacy at Paul Hastings LLP and chairman of the UK Data Protection Forum said the situation was leaving businesses in the dark.

“The commissioner has confirmed that no agreement on the safe transfer of data between the UK and US has been agreed within the set deadline. This will cause great uncertainty for European businesses and concern amongst European citizens.

“Some detail has been revealed about what could be included in Safe Harbour 2.0 including an annual review that the conditions for safe processing remain satisfactory and an ombudsmen for European citizens. However, those businesses who are operating across the EU and US remain in the dark, and at increased risk of enforcement if they continue to transfer data to the US.

“The results of months worth of negotiation appears weak and if adopted we are likely to see further legal challenge in the European courts. The European Commission still needs to make the case that the US system of privacy laws are essentially equivalent, that data subjects have real rights against disproportionate processing in the US, and that if there is disproportionate or illegal processing then citizens can have their personal data deleted and ultimately redress in an appropriate court.”