The United States and the European Union have made significant progress in crafting new regulations to protect consumers’ privacy during commercial data transfers between American and European jurisdictions, a senior European official said Monday.
In a speech at the Brookings Institution in Washington, D.C., European Commissioner for Justice, Consumers and Gender Equality Věra Jourová said both sides will reach an agreement before a Jan. 31 deadline.
“I’m confident that we will meet the deadline of January 2016 for a new agreement on international commercial data transfers,” Jourová said. “Why? Because we have clear guidelines from Europe’s highest court. Because we can build on discussions held since January 2014. Because it is in both Europeans’ and Americans’ interest. And finally, because there is a strong political commitment at the highest level on both sides of the Atlantic.”
Talks have accelerated since an Oct. 6 ruling from the European Court of Justice that invalidated the Safe Harbor law, a regulatory workaround that let American companies store Europeans’ personal data outside the E.U. — without falling foul of strict European data privacy rules. A working group of privacy regulators said days later that unless the two sides reach an agreement, they will take “necessary and appropriate actions” against companies who are violating those rules.
Jourová said negotiations with Commerce Secretary Penny Pritzker have yielded some results, including a move to make oversight more “responsive” and “pro-active.” According to the commissioner, the Commerce Department has already committed to stronger oversight of companies and stronger cooperation between European data protection authorities and the Federal Trade Commission.
She also said she is working with the Commerce Department to include an annual joint review mechanism, which will detail the number of requests American companies receive from U.S. intelligence and other agencies to pass on information on European citizens.
According to an interview in the Wall Street Journal, Jourová said this review has been a point of contention since the summer, with the U.S. balking at the E.U.’s stipulation that data request reports be made mandatory.
Another key facet in agreements is passage of the Judicial Redress Act, which if signed into law, would give E.U. citizens the same rights to legal recourse that U.S. citizens have if law enforcement is found to have violated their privacy. Jourová will be visiting Capitol Hill tomorrow, urging the Senate to pass the bill.
“The major difficulty we have faced over the years is the fact that the 1974 Privacy Act only grants rights to U.S. citizens and residents, whereas in the E.U. there is no such limitation for U.S. citizens in our redress system,” Jourová said. “This is a long-awaited and historical step and we appreciate the efforts of the Administration and Congress so far.”
Even with the bill’s passage, privacy experts believe the “umbrella agreement” being used as a framework will eventually be tossed out by a European Court. Last week, a letter from U.S.- and Europe-based privacy groups urged both sides to head back to the drawing board.
A revised Safe Harbor framework similar to the earlier Safe Harbor framework will almost certainly be found invalid by the national data protection agencies and ultimately by the [European court],” the letter reads. “Failure will almost certainly lead to disruption of data flows and uncertainty for consumers and businesses on both sides of the Atlantic.”
Jourová said that both sides need to continue to work together to have a “comprehensive and effective framework in place as soon as possible.”
“Only a comprehensive arrangement with clear legal commitments, enforced by the U.S. authorities, can ensure the level of data protection Europeans are entitled to under E.U. law,” she said. “And this is what the judgment requires: where personal data travels, the protection has to travel with it.”