Cybersecurity

US, EU get three months to cut new privacy deal

European Union privacy regulators on Friday gave the European Commission and the United States three months to come up with an alternative to an invalidated legal framework that allowed companies to shuttle personal data across the Atlantic.

{mosads}Earlier this month, the European high court tossed out the so-called Safe Harbor agreement, leaving more than 4,000 companies scrambling to find alternatives to continue to handle private consumer data.  

The court did not give companies a grace period to comply and without regulatory guidance, critics said the ruling could create a country-by-country patchwork of privacy enforcement by regulators.  

Meeting in Brussels to discuss the implications of the ruling, a working group of Europe’s data protection authorities provided no grace period of their own for companies and urged negotiators to provide an updated legal framework no later than January.

“If by the end of January 2016, no appropriate solution is found with the U.S. authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions,” the data protection authorities said in a statement.

The authorities’ statement also advised businesses to “reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection.”

The European Commission tried to reassure companies in the wake of the decision that it will work to create a uniform regulatory environment, but whether officials will be able to move quickly enough to protect Safe Harbor firms is a game of “wait and see,” observers say.

The commission has insisted that there are a number of alternative routes that U.S. companies can use to ensure they don’t violate EU data law, but legal experts say each of those options comes with its own set of headaches.

“They all have problems,” Susan Foster, a privacy attorney at Mintz Levin who works in both the EU and the U.S., told The Hill when the ruling was announced.

The U.S. and EU have been in talks for two years to update Safe Harbor. Following the court’s bombshell ruling, the pressure is on regulators from both nations to provide a new framework.

“The [European Court of Justice] decision makes urgent the need to redouble your efforts and conclude a successor to the now-invalidated Safe Harbor Agreement,” a group of 56 lawmakers wrote in a Wednesday letter to Secretary of Commerce Penny Pritzker and Federal Trade Commission Chairwoman Edith Ramirez.