The original Safe Harbor agreement enabled companies to store and process EU citizens' personal information in the U.S. in compliance with strict European data protection laws, and its invalidation by the Court of Justice of the European Union last October in a case relating to Facebook's activities has called into question the operations of companies large and small.
EU negotiators appear to be pushing for further concessions from their U.S. counterparts as they work on Safe Harbor's replacement, and may be prepared to miss the Jan. 31 deadline imposed by Europe's privacy regulators rather than compromise on their principles.
"Intense negotiations are ongoing. They are constructive but there will not be agreement for any price," spokesman Christian Wigand said Friday at the Commission's daily news briefing. "We need an agreement that lives up to the benchmarks set by the Court of Justice."
Among the court's requirements was a right to legal redress for EU citizens whose personal data is inappropriately handled by U.S. law enforcers, intelligence agencies and other public bodies after it is transferred to the U.S.
The continued absence of such a right from U.S. law is one of the sticking points for European lawmakers. The U.S. House of Representatives has already approved a text that would satisfy European negotiations, the Judicial Redress Act, but the bill has not yet received Senate approval. On Thursday night the Senate Judiciary Committee gave it their assent, but it has not yet been scheduled for a full vote.
The Safe Harbor data-transfer agreement provided companies with a way to collect the personal information of Europeans and process it legally in the U.S.
European Commission representatives had already begun calling for changes to the agreement in 2013, when Edward Snowden's revelations about the U.S. National Security Agency's activities made it clear that the agreement did not afford data held in the U.S. the same protections as it received in Europe, as required by the 1995 Data Protection Directive.
Nevertheless, the invalidation of the agreement by the Court of Justice of the European Union on Oct. 6 came as something of a shock for European businesses. The court had been asked to rule on a much narrower question in a case brought against Ireland's Data Protection Commissioner by Austrian Max Schrems over the commissioner's handling of his complaint against Facebook.
Schrems, a Facebook user, had asked the commissioner to rule that, in the light of the Snowden revelations, Facebook's reliance on the Safe Harbor agreement to process his personal information in the U.S. did not provide the privacy protections required by the 1995 directive.
Facebook has not changed its practices since October, saying that in any case it doesn't rely on the Safe Harbor agreement to justify the legality of its activities.
The directive offers companies other tools to guarantee customers' privacy when transferring their data to the U.S., including model contract terms for use in their dealings with U.S. partners, and binding corporate rules for transfers between subsidiaries of a multinational.
However, there are also questions about whether those tools meet the standards set by the Court of Justice. Europe's data protection authorities will meet on Feb. 2 to finalize a report on the impact of the decision on the other data transfer tools, which they plan to present on Wednesday.