The United States and European Union have until January to hammer out a new agreement that will allow for the legal transmission of citizens’ personal data between the two continents, European data privacy regulators said Friday.
The Article 29 Working Party, which brings together the data protection and privacy regulators of all the 28 EU member states, issued the timeline after last week’s European Court of Justice ruling that tossed out the Safe Harbor agreement, a 15-year-old regulatory workaround letting American companies store Europeans’ personal data outside the EU.
The regulators said if the two sides do not come to an agreement prior to end of January, the group will take “necessary and appropriate actions, which may include coordinated enforcement actions” against U.S. companies that store personal data outside of European jurisdiction.
Safe Harbor was struck down after a case brought by Austrian privacy activist Max Schrems, following his unsuccessful attempt to get European privacy regulators to stop Facebook from moving its users’ data to the United States. Schrems argued the data would be subject to mass surveillance under the National Security Agency’s PRISM program and other online snooping revealed by Edward Snowden in June 2013.
The U.S. and EU have been in talks for the past two years on a new agreement to replace the Safe Harbor, but they failed to reach a deal before the European court handed down its ruling.
The Article 29 group stressed that a new deal is imperative, calling for both the U.S. and EU to find “political, legal and technical solutions” for legal data transfers, and noting that any transfers still taking place have to be considered unlawful due to the European court’s judgment.