Brussels and Washington are scrambling to finalise a last-minute deal over transatlantic data transfers before a grace period by European data protection authorities comes to a close.
If no deal is reached by next week then companies in the EU and US will face a barrage of complaints from regulators over the methods they use to transfer data from Europe to the US — potentially resulting in such transfers grinding to a near-total halt.
Companies long relied on a “safe harbour” agreement to legally transfer data back and forth across the Atlantic. The safe harbour was based on a promise from US companies to protect European citizens’ personal data.
But it was struck down by the European Court of Justice in October in a ruling triggered shock among over 4,000 companies — including technology giants such as Google and Facebook — for whom cross-border data transfers are an essential part of business.
Data protection agencies across the 28-member subsequently gave the European Commission and Washington until the end of January to come up with a replacement.
People briefed on the latest talks said the two sides had made progress in recent days, and were hoping to strike a deal this weekend.
One idea under discussion, they added, was the establishment of an ombudsman to hear EU citizens’ complaints about possible infringements to their digital privacy. The details of how it would work in practice were still to be agreed.
The two sides are also yet to agree when and how a company should reveal whether US intelligence has attempted to access the data of EU citizens.
Many big technology companies already operate so called “transparency reports” that reveal how often a government has asked for data. But US officials have insisted that making them mandatory is not possible.
The talks have also been complicated by a last-minute amendment to a bill in the US Senate, which limited the right of EU citizens to sue the US government if their privacy has been breached.
Since the ECJ’s October ruling, companies have tried to come up with alternative means of transferring data across the Atlantic.
But these other methods — which range from boilerplate contracts to rewriting terms and conditions — could also come under investigation from data protection agencies across Europe, leading to fears that transatlantic transfers of data could be effectively banned in the near future.
Such a situation would deduct 0.4 per cent from the bloc’s GDP per year, according to European Centre for International Political Economy, a think-tank.
Another consequence of the ECJ’s ruling is that national data protection agencies (DPAs) have won more powers, allowing them to investigate data transfer arrangements that had previously been deemed fine by the commission.
Legal analysts believe that national regulators will face increased pressure to act — particularly after the grace period ends.
“They know that if they do not start moving, they will have legal proceedings saying that they are not upholding the law,” said Alexander Whalen, a senior policy manager at Digital Europe, a business group for the technology industry.
Big tech companies are in a near impossible position, having to obey US demands to access data for national security purposes alongside EU rules banning such interference, according to Max Schrems, the Austrian student who filed the original “safe harbour” challenge.
“The problem is [with] the big shops: Microsoft, Apple, Facebook and Google. They are in two jurisdictions who say the opposite thing,” said Mr Schrems in an interview with viEUws, a Brussels based media group. “This problem was solved by the EU not enforcing its law. These companies have realised that falling under two jurisdictions caused them trouble.”
Even if a new “safe harbour” deal is reached between the US and the commission, it will probably be challenged in the EU’s top court again, according to analysts.
“There is mood music that suggests, even if we get agreement, then some DPAs might still launch investigations,” said a policy adviser at one big internet group. “There is a group of DPAs and activists trying to take us down one path. We are not at the end.”
Get alerts on Data protection when a new story is published