SHARE THIS ARTICLE Share Tweet Post Email

Photographer: Meg Roussos/Bloomberg Photographer: Meg Roussos/Bloomberg

The European Union set a three-month deadline to reach a new trans-Atlantic deal on data-transfers after the bloc’s top court struck down a 15-year-old pact that risked giving American spies unfettered access to EU citizens’ private details.

“We need an agreement with our U.S. partners in the next three months,” Andrus Ansip, the European Commission vice-president for digital issues, said in an e-mailed statement on Friday. “The commission has been asked to take swift action: this is what we are doing. Today we provide clear guidelines and we commit to a clear timeframe to conclude current negotiations.”

The EU Court of Justice last month forced the EU and the U.S. back to the negotiating table, saying the existing “safe-harbor” designed to ease the flow of commercial data across the Atlantic failed to stop U.S. spies gaining access to European citizens’ private details. Judges said it also compromised citizens’ right to challenge the use of their information.

Searches to Cereal

The pact, drafted in the pre-9/11 days, was designed to facilitate trade by allowing U.S. companies with activities in Europe to shift information between their sites. The EU court ruling affected more than 4,000 companies, ranging from tech giant Google to cereal maker Kellogg Co, which were allowed to transfer data provided they adhered to a list of principles to protect privacy.

Following meetings with some of the firms affected, the EU issued guidance on Friday to help companies transfer data safely until a new deal is struck. Other tools include “standard contractual clauses” or so-called binding corporate rules, the commission said.

After several rounds of talks since the Oct. 6 EU court ruling, the onus is now on the U.S. “to come back with answers,” EU Justice Commissioner Vera Jourova said. Only then will a new trans-Atlantic deal be possible, she said.

“We can build on what we have already achieved in our talks since 2013, but there is still something more to be done” and “the court ruling is our benchmark in our talks with the U.S,” Jourova said. Any new accord must be a “stronger framework” than the one it replaces.

The EU court case was triggered by an Austrian law student who complained to the Irish data privacy watchdog that the accord allowed U.S. security services access to Facebook Inc. customer information sent to America.

Revelations by former U.S. National Security Agency contractor Edward Snowden sparked outrage about U.S. government surveillance activities and mass data collection. An Irish judge had sought the tribunal’s view on whether the deal still protects privacy and whether national regulators have the power to suspend illegal data flows from the EU to the U.S.

The Oct. 6 court decision prompted EU privacy watchdogs to commit to jointly take action by January if “no appropriate solution is found” in negotiations with the U.S.

The EU and U.S. had been in discussions since 2013 to strengthen the now-defunct safe harbor deal by boosting the privacy protection given to EU citizens’ data once it has been transferred.

(Updates with comments from EU commissioners in fourth paragraph.)