This article is more than 1 year old

Brussels flings out Safe Harbour guidelines, demands 'safer' new framework ASAP

Ansip demands 'safer safe' transatlantic data transfers

The Oxford Dictionary states the following for its definition of the word "safe": "Protected from or not exposed to danger or risk; not likely to be harmed or lost."

On Friday morning, Brussels' vice-president Andrus Ansip got a little tautological by once again calling for a "safer" Safe Harbour agreement between the European Union and the United States.

Officials at the European Commission also released a set of guidelines for businesses to follow as the clock ticks down on the broken transatlantic data transfer measures.

The guidelines come exactly one month after a landmark ruling (Schrems vs Data Protection Commissioner) found that the current Safe Harbour Agreement in place between the EU and US was invalid.

It was determined that the 15-year-old data-sharing pact was voided on the grounds that it had breached the privacy rights of EU netizens, whose data – it's alleged – was indiscriminately exposed to US spies.

“Citizens need robust safeguards to ensure their fundamental rights are protected. And businesses need clarity during this transition period," said Brussels' justice commissioner Vera Jourová.

"Our aim today is to explain under which conditions businesses can lawfully transfer data in this interim period. We will also continue to work closely with national data protection authorities, who are responsible for the enforcement of data protection law in the Member States.

"I have stepped up talks with the US towards a renewed and sound framework for transatlantic data flows and will continue these discussions in Washington next week. Any new arrangement has to meet the requirements of the Court ruling."

It's understood that more than 4,000 companies currently rely on the transatlantic data pact.

The EC offered up alternatives during the vacuum period between the current agreement and the new framework that it is attempting to negotiate with the US.

It said the following data transfers can continue to be pursued by businesses:

Contractual solutions: contractual rules should obligations, such as security measures, information to the data subject, safeguards in case of transfer of sensitive data, etc. Model standard contractual clauses are available here.

Binding Corporate Rules for intra-group transfers: they allow personal data to move freely among the different branches of a worldwide corporation. They have to be authorised by the DPA in each Member State from which the multinational wishes to transfer data.


  • Conclusion or performance of a contract, including pre-contractual situations, e.g. in order to book a flight or hotel room in the U.S., personal data may be transferred;
  • Establishment, exercise or defence of legal claims;
  • If there is no other ground, the free and informed consent of the individual.

Enforcement against non-compliance with the Safe Harbour court ruling kicks in early next year. It's a short time for those negotiations between the US and EU to turn into Ansip's desired "safe" Safe Harbour deal. ®

More about


Send us news

Other stories you might like