The US and the European Commission (EC) are struggling to agree new Safe Harbour data transfer rules, missing the deadline imposed by European data protection watchdogs to have new laws in place by the end of January.
Officials from the EC and the US government met in Brussels last week in an effort to agree new laws governing data transfers from the EU to the US, but they have still to find any common ground.
“I will not hide that these talks have not been easy. It is not an easy task to build a strong bridge between two legal systems which have some major differences,” said EC commissioner Vera Jourová.
“Negotiations are still ongoing, including at the political level. There have been very intensive discussions at the weekend.”
The discussions were required after the European Court of Justice ruled the old data transfer framework invalid as it could not guarantee the privacy of EU citizens' data in the wake of the Snowden spying revelations.
The EC is under pressure to ensure that any new framework will provide this protection, as Jourová outlined.
“We have underlined to our American partners that any new adequacy decision must be able to withstand a new legal challenge. This is important for the standard of fundamental rights protection, but also to ensure legal certainty for business," she said.
However, this is causing a sticking point with the US as it sees the right to harvest such data as core to national security.
The failure to reach an agreement is a major blow for businesses and has the potential to create uncertainty as firms will have to adhere to tougher, more stringent data rules if sending data to the US.
This may not prove too difficult to organise for larger firms such as Google or Microsoft, given their vast legal and financial resources, but it could prove troublesome for smaller firms involved in data transfers.
It also throws open the risk that companies could face the wrath of data protection commissioners, as the pan-European Article 29 Working Party explained that agencies would begin taking action where necessary from February.
“If no appropriate solution is found by the end of January 2016 EU data protection authorities are committed to taking all necessary and appropriate actions, which may include coordinated enforcement actions,” the group said last year.
At present it remains to be seen what this action could be, but fines are a possibility.
Annabelle Richard, legal director at Pinsent Masons, warned that data authorities must be pragmatic when it comes to how they deal with firms caught up in the confusion of the ongoing discussions.
"It would be wrong for data protection authorities to view any failure by them to agree 'Safe Harbour 2.0' imminently as a green light to burden businesses that try to do what is right and that have regard for privacy with major restrictions on day-to-day operations at this time,” she said.
The UK the Information Commissioner's Office has certainly sounded like it will take an open-minded approach, at least based on comments from information commissioner Christopher Graham last year.
“We’re not going to start doing some knee-jerk enforcement [in February] but it is important that data controllers begin to think about what steps they should take to be confident they are entrusting the data of EU citizens to a safe place,” he said.
Four business groups representing the world’s biggest technology companies told US and EU policy makers last month that they must reach an agreement regarding data flows between the two regions or face dire economic consequences.
Infected apps have been downloaded more than 50 million times
Customers of regular price-raising ISP and cable operator claim nationwide outages started on Monday
Pixel 2 smartphones and a Pixel-branded laptop also planned by Google
The moment you've all been waiting for...