The European Union has laid out temporary guidelines for companies within the EU that transfer personal user data to the US until it can conclude its full review of the Safe Harbor agreement and permanent changes that need to be put into place.
The interim measures have been suggested following a ruling by the EU Court of Justice that the agreement is “invalid” last month.
As a result, the EU is recommending three areas to focus on for future principles of the agreement. “Due to deficiencies in transparency and enforcement of the arrangement, specific problems still persist and should be addressed,” the court said.
Primarily, it’s concerned about the privacy policies of companies that participate in the voluntary – but binding – Safe Harbor program. It’s also worried about how effectively the principles laid out in the Safe Harbor agreement are being effectively applied by companies in the US.
There are doubts as to the efficacy of the enforcement of Safe Harbor principles – many of the members of the scheme are self-certified and checks to see whether or not they are complying with Safe Harbor aren’t stringent enough.
“Furthermore, the large scale access by intelligence agencies to data transferred to the US by Safe Harbour certified companies raises additional serious questions regarding the continuity of data protection rights of Europeans when their data is transferred to the US,” the court added.
While the EU works out how the agreement should be amended in the longer term, it has issued recommendations on how data transfers should be carried out, based around transparency, enforcement and access that US authorities have.
A new permanent agreement should be in place within the next three months.