As the EU body leading the Safe Harbor 2.0 negotiations with the U.S. government, the EU Commission plays a crucial role in the current debate about data transfers from the EU to the U.S. On 26 October, 2015, during her speech to the LIBE Committee of the EU Parliament, Vera Jourová (the EU Commissioner responsible for data protection) provided some important insights into the progress of, and requirements for, Safe Harbour 2.0.
Jourová also emphasised the need for clarity for businesses in respect of international data transfers and announced that the Commission will soon issue an explanatory Communication on the consequences of the Schrems ruling setting out guidance on international data transfers.
Requirements Of Safe Harbor 2.0
In line with a press release made on 6 October, Jourová calls for a Safe Harbor 2.0 that lives up to the standard of the Schrems ruling as the central future framework for enabling transatlantic data flows. According to Jourová, Safe Harbor 2.0. would need to meet the following requirements in order to live up to the standard of the Schrems ruling.
- For data transferred from the EU to the U.S, Safe Harbor 2.0 needs to ensure that data protection safeguards are “globally equivalent” (but “not necessarily identical”) to the European standards.
- While a system based on self-certification is acceptable, Safe Harbor 2.0 needs to provide “effective detection and supervision mechanisms”. According to Jourová, the U.S. has delivered on this requirement by committing to a stronger oversight of the system by the Department of Commerce, a stronger cooperation with EU DPAs and a priority treatment of complaints by the FTC. She also states that European DPAs will need to play a more active and visible role in the process of reviewing the framework. The parties are said to have reached an agreement in principle on these points, but are still discussing how to ensure that commitments made are sufficiently binding.
- Safe Harbor 2.0 must be periodically reviewed in light of developments in the U.S. According to Jourová, the Commission and the U.S. are working on an annual joint review mechanism which would cover all aspects of the framework, including the use of exemptions for law enforcement and national security grounds.
- Safe Harbor 2.0 would need to provide sufficient limitations and safeguards to prevent access or use of personal data by public authorities on a “generalised basis”. It would also need to ensure sufficient judicial control over national intelligence activities. Jourová describes this as “the biggest challenge in the CJEU judgement” but welcomes a number of U.S. initiatives developed since the Snowden revelations which address this very requirement. These include the adoption of the USA Freedom Act, the Presidential Policy Directive 28, a more targeted and tailored approach to surveillance and the approval of the U.S. Judicial Redress Act by the House of Representatives.
Progress Of The Safe Harbor 2.0 Negotiations
Jourová confirms that several meetings have taken place and intensive technical discussions will continue until her mid-November meeting in Washington where she will further discuss the Safe Harbor 2.0 framework with U.S. officials. We will report on the progress of those discussions as details emerge.
The EU Commission is pushing for a quick progression of the Safe Harbor 2.0 negotiations and is aiming for a framework which eliminates the CJEU concerns about the first Safe Harbour Framework. While a lot of work still lies ahead, businesses should factor in Safe Harbor 2.0 as a future mechanism for legitimising EU/U.S. data transfers and closely follow the progress of the negotiations.