Brussels, 06/11/2015 (Agence Europe) - European Commissioners Andrus Ansip (Digital Single Market) and Vera Jourova (Justice and Consumer Rights) provided a series of guidelines on Friday 6 November for European and US companies, in particular the smallest firms, in the face of the legal uncertainty following the ruling a month ago by the Court of Justice of the EU on the Safe Harbor arrangement.
The guidance comes with Commissioner Jourova preparing to travel to Washington next week for meetings with her US counterparts in the Trade Department and continue talks on a new Safe Harbor. At a press briefing, she said again that she urged the United States to approve the new arrangement which, in light of the Court ruling, must strengthen protection for European citizens with regard to access to their data by US government authorities and improve legal oversight.
Closer supervision and stronger sanctions are needed from the United States, too, towards American companies which do not comply with the principles set out, Jourova said. She stated, however, that a number of positive data protection measures had been put in place in the US, such as the Judicial Redress Act which provides European citizens with some recourse to US courts. While this law, which is currently going through the Senate, is only a partial answer, it is, nonetheless, a step in the right direction, Jourova said.
The new Safe Harbor arrangement, which both sides agree should be concluded swiftly, will continue to be based on the principle of self-certification but compliance will be required with stricter criteria, the Commission demands. The two sides agree that there should be an annual review of the arrangement, Jourova announced in Strasbourg on 26 October. Commissioner Ansip said that a “bullet-proof solution” had to be found. Jourova also said that the other ten adequacy decisions currently in force with other third countries would be studied in the light of the ruling, in particular with regard to the role of national data protection authorities, which have come out strengthened after the ruling.
The Commission is making no comment, however on the exact timing, though the national data protection authorities have given the two sides three months to come to an agreement. Jourova would only say that she hoped to finalise the new arrangement “as soon as possible”. In its communication, the Commission also sets itself a three-month deadline for concluding discussions.
The guidance published on Friday aims to assist firms in using alternative means for transferring data from the EU to the United States, means that the Commission had already suggested in the wake of the ruling of 6 October. Several Commission sources have pointed out that many companies, mainly large companies, had anticipated the Court's decision and had begun to use other means of transfer. The firms worst hit are SMEs. These guidelines note that the 2000 Safe Harbour “can no longer serve as a legal basis for transfers of personal data to the US” and set out other possible bases for transfers.
Businesses can currently pursue data transfers on the basis of contractual solutions, binding corporate rules for intra-group transfers or on the basis of a number of derogations, for example, for the “conclusion or performance of a contract; establishment, exercise or defence of legal claims; or, if there is no other ground, the free and informed consent of the individual”, the Commission already said in October. It will be for companies' data controllers to check carefully if these models fully comply with European law and the latest guidance by the Court of Justice. (Original version in French by Solenn Paulic)