Update: E.U., U.S. Reach Tentative Data Transfer Deal
European regulators announced a framework agreement on Tuesday (Feb. 2) on trans-Atlantic data transfers that would require U.S. companies importing personal data from Europe to "commit to robust obligations on how personal data is processed and individual rights are guaranteed."
Despite the breakthrough Safe Harbor deal after months of haggling, legal challenges are expected. Moreover, the 28 members of the European Union must still approve the deal and data regulators must also sign off on it.
"For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms," stressed European Union Commissioner Vĕra Jourová. The framework agreement includes a concession by the U.S. to provide annual written assurances that U.S. spy agencies would not have unfettered access to trans-Atlantic data transfers.
U.S. and European Union negotiators failed to come up with a compromise Safe Harbor framework by a Jan. 31 deadline. Both sides were calling on the other to make concessions. Months of negotiations followed invalidation of the original Safe Harbor agreement by the European Court of Justice last October. The framework allowed businesses to transfer the personal information of EU citizens to the U.S. for storage and processing.
The revelations of Edward Snowden, the former National Security Agency contractor, cast a long shadow over the negotiations.
Jourová had earlier called for more U.S. concessions before a new Safe Harbor deal could be reached. "We are close, but an additional effort is needed" from the U.S., Jourová noted in a statement released earlier this week. Jourová, whose formal title is EU Commission for Justice, Consumers and Gender Equality, emphasized the need for formal and binding commitments from the U.S. before a deal can be reached.
Jourová said she planned to speak with U.S. Commerce Secretary Penny Pritzker this week to hash out remaining issues. The EU was seeking high-level U.S. backing for a new framework in the form of an exchange of binding letters and publication of new Safe Harbor rules in the Federal Register.
"I will not hide that these talks have not been easy," Jourová acknowledged. "It is not an easy task to build a strong bridge between two legal systems which have some major differences."
Pritzker has called for completion of an updated Safe Harbor framework as soon as possible to " address uncertainty created by the [EU] court decision."
U.S. IT industry groups fired back following Jourová's call for more U.S. concessions. "Every day that goes by without a comprehensive agreement [on a new Safe Harbor framework] creates additional risk for businesses, which will translate into higher prices and lower quality services for consumers," asserted Daniel Castro, vice president of the Washington-based Information Technology & Innovation Foundation (ITIF).
"In the wake of the Snowden disclosures, it is understandable that European citizens and policymakers are asking questions about privacy safeguards in U.S. law. But the United States now has a clear set of rules for government access to data, and these rules offer similar levels of protection to those found in Europe and elsewhere," Castro added. "Given the critical importance of the data economy in both Europe and the United States, both sides need to act swiftly to reach a final agreement.
The group also called on European regulators to buy time for negotiators to reach a compromise by establishing a moratorium on new enforcement. "Enacting temporary enforcement measures at this point would be premature and impose unnecessary costs on businesses and consumers without addressing the long-term goals of either European or U.S. interests," ITIF said.