Cybersecurity

Head EU privacy regulator urges firms to limit data transfer to US

Europe’s top privacy regulator is calling on firms to limit the transfer of European Union citizens’ data to the United States, Reuters reports.

“No one wants data transfers to stop completely, but neither does anyone want information on European citizens, who have certain rights under our laws, to be completely without protection when they leave Europe,” said Isabelle Falque-Pierrotin, who leads a working group of 28 European data protection regulators.

{mosads}The warning comes weeks after the EU’s high court invalidated a 15-year-old framework that allowed companies to legally transfer data across the Atlantic.

The court cited insufficient American privacy protections, noting that the United States could not adequately protect EU data because of its “indiscriminate” surveillance practices.

The more than 4,000 firms that had relied on the so-called Safe Harbor agreement to handle European data are now left scrambling for alternatives, while regulators work to update the agreement.

The ruling drew fierce criticism from U.S. business groups, regulators and lawmakers, who say it will have a negative impact on trade.

“We are deeply disappointed in today’s decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy,” Commerce Secretary Penny Pritzker said. 

Pritzker is the lead U.S. negotiator on an updated framework. 

“The ruling creates uncertainty for the European and international companies that rely on Safe Harbor for their commercial data transfers, most of which are small and medium-sized enterprises,” Computer and Communications Industry Association Europe Director Christian Borggreen said in a statement when the decision was announced.

“We expect that a suspension of Safe Harbor will negatively impact Europe’s economy, hurt small and medium-sized enterprises, and the consumers who use their services, the most,” Borggreen added.

The European Commission, the union’s executive body, has insisted that there are a number of alternative routes that U.S. companies can use to ensure they don’t violate EU data law, but legal experts say each of those options comes with its own set of headaches.

Meeting in Brussels to discuss the implications of the ruling, the data protection authorities’ working group provided no grace period for companies and last week urged negotiators to provide an updated legal framework no later than January.

Falque-Pierrotin said that the working group will look for “pragmatic and realistic” solutions to the new environment, but she echoed previous warnings that companies should carefully vet their privacy safeguards.

“We must all comply, including the companies who should reconsider, maybe critically, the organization of their cross-border data flows,” said Falque-Pierrotin. “They should ask themselves, are all these transfers justifiable?”