January 21, 2016
European Union privacy regulators are leaning toward the restriction of personal data transfers to the United States because of the risk of U.S. surveillance, two sources familiar with the matter said on Wednesday.
EU data protection authorities are finalizing their position on data transfers to the United States after a top EU court last year struck down the Safe Harbour system, used by thousands of businesses to easily transfer data across the Atlantic, because the data were not protected enough from any U.S. snooping.
A plenary meeting on Feb. 2 of the Article 29 Working Party, which brings together the EU's 28 privacy regulators, will decide to what extent companies should be allowed to continue transferring Europeans' data to the United States in light of the ruling from the European Court of Justice (ECJ).
In a preparatory meeting on Wednesday the authorities discussed a range of possible outcomes, including "freezing" all new authorizations for U.S. data transfers on the basis of binding corporate rules within multinationals or standard contractual clauses between companies, the sources said.
Under EU data protection law, companies cannot shift Europeans' data to countries outside the EU deemed to have insufficient privacy safeguards, which applies to the United States according to the authorities' assessment of the U.S. legal system.
However, data transfers are allowed if firms set up complex legal structures such as binding corporate rules or standard contractual clauses.
The 15-year-old Safe Harbour framework allowed firms to transfer personal data to the United States without doing that.
A final decision will only be taken at the plenary meeting and not all regulators were in favor of the restrictive approach, the sources said.
If the European Commission, which is negotiating a replacement for Safe Harbour with Washington, presents the regulators with a strengthened system their position may change.
"That will change the whole game," one of the sources said, "and could stop the data protection authorities from taking action."
A spokeswoman for the French data protection authority, which heads the group of regulators, said negotiations were still ongoing and a final decision would only be taken on Feb. 2.
Freezing all new authorizations for U.S. data transfers using binding corporate rules or standard contractual clauses is likely to put a dampener on transatlantic data flows which are the highest in the world, stoking claims from businesses that the borderless nature of the Internet is being jeopardized.
Companies that have already set up the legal mechanisms and got them approved by regulators could also be affected if there are complaints, one of the sources said.
Revelations two years ago from former U.S. National Security Agency contractor Edward Snowden about mass U.S. surveillance programs caused a political backlash in Europe and set the stage for the sinking of Safe Harbour in court.