The European Commission has issued guidelines to businesses on transatlantic data transfers while a new 'safe harbour' agreement is being reached.
This agreement - which was 15 years old - was set up to facilitate easier transfer of data for US companies to transfer data from Europe to the US.
After it was challenged by Austrian privacy rights campaigner Max Schrems, the European Court of Justice (ECJ) early last month ruled that the agreement was invalid.
The ECJ ruling had stated three priorities when negotiating a new ‘safe-harbour’ deal: to reassure citizens their personal data will be protected; to provide clarity to businesses on alternative methods for transatlantic data transfers and to ensure the application of a new agreement would be uniform across both markets.
Justice Commissioner Věra Jourová has now announced that companies still need to comply with the ECJ ruling, and has issued guidance on transferring data across the Atlantic and using alternative mechanisms for data transfers, until a new framework is put in place.
She said, "Any new framework transatlantic data transfers has to meet this requirement, in the meantime, data transfers between the US can no longer be based on the old safe harbour."
The guidance also outlines when businesses can pursue data transfers. Commissioner Jourová explained that these transfers can occur "based on contractual clauses", in "binding corporate rules for intra-group data transfers within a group of companies" and in "The specific conditions, the directive allows for such transfers, for example to fulfil a contract."
Speaking about the negotiations for a new safe harbour agreement, she stressed that, "Citizens need robust safeguards to ensure their fundamental rights are protected. And businesses need clarity during this transition period."
"Our aim is to explain under which conditions businesses can lawfully transfer data in this interim period. We will also continue to work closely with national data protection authorities, who are responsible for the enforcement of data protection law in the member states."
"I have stepped up talks with the US towards a renewed and sound framework for transatlantic data flows and will continue these discussions in Washington next week. Any new arrangement has to meet the requirements of the Court ruling."
The group of 28 EU data protection agencies gave the Commission a three month deadline last month, saying that should there be no agreement by the end of January 2016, they are "committed to take all necessary and appropriate actions, which may include coordinated enforcement actions."
Because of this, European Commission Vice President Andrus Ansip, said, "the Commission needed to take immediate actions to ensure citizens their personal data is protected" and urged an agreement between the EU and US on a new transatlantic data transfer pact.
He added that "the idea of safe harbour was good - but then we understood that safe harbour was not safe."
"Today we provide clear guidelines and we commit to a clear timeframe to conclude current negotiations. The EU and the US are each other's most important trading partners."
"I believe we and the United States have all the tools at hand to achieve this in three months, but we want a bullet-proof solution. Our goal is a safe framework for the transfer of data across the Atlantic."