Three days ahead of a 31 January deadline to negotiate a new data transfer deal between the EU and the US, The European Consumer Organisation (BEUC) is calling on the European Commission and the European data protection authorities to make sure they comply with the recent European Court of Justice ruling on EU data rights1.
In October last year, the European Court of Justice struck down an EU-US data transfer agreement (Safe Harbor) and told national data protection authorities they must investigate if personal data is adequately protected when transferred to the US. In response to this ruling, national data protection authorities said they would start taking action against companies which transfer data to the US without respecting EU data laws unless a new data deal is agreed by 31 January.
- The European Commission to only settle on a new Safe Harbor agreement if it fully meets the requirements set out by the European Court of Justice and guarantees that EU citizens’ fundamental rights are upheld when their data is exported to the US.
- National data protection bodies to carry out their duties – confirmed by the EU’s highest court – to investigate and penalise potential breaches of EU data laws.
Monique Goyens, Director General of The European Consumer Organisation, commented:
“When our personal data is transferred outside the EU it should travel hand in hand with the protection guaranteed under EU law. The fact that the European Court of Justice found the Safe Harbor agreement unsafe is not without irony. It is high time consumers do not need to worry where their data will go because they can trust their rights are fully respected on both sides of the Atlantic.
“The difference between EU and US legal data protection regimes is obvious and the Court of Justice was very clear: there cannot be a new Safe Harbor deal unless our data and fundamental rights are protected in the US as in the EU. Otherwise another court case is just a matter of time. The Commission needs to bear this in mind if it decides to close a deal with the US.
“Regardless of whether a new agreement is announced in the coming days, European data protection authorities have a duty to ensure that companies doing business in the EU comply with EU laws. We expect them to take their responsibility seriously and intervene when US firms do not respect our rules.”
1 Maximillian Schrems v Data Protection Commissioner, C-362/14