No easy way forward for EU-US transfers of personal data

The EU DPAs, and the EU Commission are frantically searching for solutions to the problem of the European Court of Justice declaring the US-EU Safe Harbor to be invalid. While the EU and the US are still negotiating a new framework, there are additional challenges. Although the EU DPAs’ Article 29 DP Working Party has already issued an opinion saying that for now, Binding Corporate Rules and model contacts can be used to safeguard transfers, the German DPAs have now issued a joint position paper saying that they are doubtful, and will not issue any new authorisations for transfers to the US. In the meantime, Israel’s and Switzerland’s DP Authorities (both declared by the EU to have “adequate” legal regimes) have said that they will not allow transfers to Safe Harbor registered companies.

However, The US Department of Commerce has said that it will continue to administer the Safe Harbor programme as normal. Speaking in Amsterdam at an academic conference, US FTC Commissioner Julie Brill said that a Federal privacy law is no prerequisite for EU-US transfers to continue, as the US offers a variety of sectoral privacy laws. She said that she is in favour of strengthening the existing consumer privacy laws and ensuring that the European authorities recognise the privacy protections that the US already has.

Commenting on the other possible European solutions, she said:

"Some of the alternatives to Safe Harbor do not offer this same level of transparency. For example, model contracts might require companies to file copies of their contracts with a data protection authority, though this is not the case in every Member State."