EU offers guidance to Safe Harbor firms

The European Commission on Friday tried to reassure anxious companies that trans-Atlantic data transfers can continue in the absence of an invalidated data flow agreement and stressed that negotiations to update the framework are proceeding.

“The Commission has been asked to take swift action: This is what we are doing. Today we provide clear guidelines and we commit to a clear timeframe to conclude current negotiations,” said Vice President Andrus Ansip.

{mosads}The over 4,400 firms that had relied on the so-called Safe Harbor pact to legally handle European citizens’ data were left scrambling when the EU high court struck down the agreement and offered nothing in the way of guidance or a grace period for compliance.

The commission on Friday provided little new information, instead echoing previous assurances that a variety of alternate legal mechanisms are still open to companies.

In a guidance document, the commission detailed two options under which firms may still pursue data transfers.

One, model contractual clauses, allow data users to give consent to the transfer and include security obligations and safeguards.

The second, Binding Corporate Rules, allows personal data to move freely among the different branches of a worldwide corporation. BCRs, as they are known, have to be authorized in each European member state where the data is transferred.

Critics have panned each option as unworkable. Experts say BCRs carry a price tag of more than $1 million and take 18 months to fully implement, making them cost prohibitive for smaller firms.

Model clauses, on the other hand, are complex to execute and mistrusted by some privacy regulators.

Some of Europe’s individual member state privacy regulators — which have the authority to investigate any of the means of transfer under the court ruling that invalidated Safe Harbor — have cast doubt on the legitimacy of the alternatives.

Germany has already invalidated model clauses and suspended approvals for BCRs.

The commission was explicit in reminding firms of the authority held by the privacy regulators, which has caused some critics to warn of a patchwork enforcement environment.

“Standard Contractual Clauses and Binding Corporate Rules can in the meantime be used as a basis for data transfers, although [a working party of data protection authorities] also stated that it will continue to analyse the impact of the judgment on these alternative tools,” the guidance reads.

The Commission insisted that the way forward is an updated version of Safe Harbor, which negotiators have been working on for several years.

The timeline for discussions has been accelerated by the court decision, and the working party of privacy regulators gave negotiators a January 2016 deadline before they will take enforcement action.

“I have stepped up talks with the U.S. towards a renewed and sound framework for trans-Atlantic data flows and will continue these discussions in Washington next week,” Commissioner Vera Jourová said. “Any new arrangement has to meet the requirements of the court ruling.”

Some policy experts have warned that a new Safe Harbor framework could be struck down as summarily as the old one.

In remarks on Friday, Ansip said that “a legally binding administrative decision will be needed to make this Safe Harbor 2.0 bulletproof” but maintained that a new agreement is the best option for companies.

“While alternative tools exist, a safer new framework is the best solution to protect our citizens and cut red tape for businesses, especially start-ups,” Ansip said in a statement.