The end for Safe Harbour? Europe – US trade faces huge upheaval after failure to agree deal on data transfer

Negotiations between the European Union and US have failed to reach an agreement regarding how data is transferred between the regions.

A deadline for the end of January had been set for a revised Safe Harbour agreement back in October, meaning that three months has gone by without the deadlock being broken.

An agreement is seen as necessary to avoid disruption to the transatlantic digital economy and to help ensure the continuity of service for US and EU companies.

The failure to reach an agreement will likely have on-going ramifications for transatlantic business. Phil Lee, data protection partner, at EU law firm Fieldfisher, said: "The disruption to transatlantic business is absolutely enormous. If you’re a US supplier trying to sell into Europe, the tone coming from European customers now is very much one of ‘Why should we trust you with our data?’

"Only those suppliers that agree to export data under the EU’s Standard Contractual Clauses will have any success in closing commercial deals."

The reason for the whole problem stems from Edward Snowden’s revelations about mass surveillance programmes being carried out by the American National Security Agency. Under these programmes it collected private data from companies such as Apple, Facebook and Google.

This led to a backlash from the EU which helped to kick start the process towards re-addressing the Safe Harbour agreement.
At its most basic, the Safe Harbour agreement is designed to regulate the way that US companies can export and handle the personal data of European citizens.

The agreement had been in force since 2000 but due to concerns that it does not adequately protect consumers, it was scrapped.

What it means for companies like Microsoft is that they cannot rely on self-certification to transfer data, they must instead use model contract clauses which authorise the transfer of data outside the EU. The problem with this is that these are needed for each case of data transfer, making for a more time consuming and costly process.

The impact of the regulation, or lack of it, has seen a number of major cloud vendors increasing the amount of services they have that now offer to store data in the EU.

Nigel Hawthorn, chief European spokesperson, Skyhigh Networks, said: "With politicians taking so long to get anything agreed, the discussions are in danger of becoming irrelevant. The business wheel is constantly turning.

"A Safe Harbour 2.0 has been promised, but US organisations aren’t waiting and are instead amending their operations to keep data in the EU. In fact, 27 percent of cloud services now offer to store data in the EU, twice as many compared to six months ago."

NetSuite is one company that has expanded its data centre footprint with the opening of two hubs in Europe, while Box is also preparing to open European data centres in 2016.

The original agreement had been ruled invalid by the European Court of Justice, saying at the time: "If by the end of January 2016, no appropriate solution is found with the U.S. authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions."

Although the deadline has been missed there are still talks continuing so a deal may be struck in the next few days, or a new deadline will be set for an agreement to be made. For this extra time to be given a set of temporary rules could be created.