BRUSSELS (BLOOMBERG) - European Union regulators are adopting a much tougher approach to transatlantic data transfers to meet the demands of a landmark ruling last week that warned about potential American surveillance.
Companies won't have a grace period to comply with the decision by the EU's top court that undercuts the current system, according to a six-page document prepared by regulators.
In addition, firms must make assessments on how US laws might curb privacy protections for European residents.
EU data-protection watchdogs grappled with ramifications of the Court of Justice ruling striking down the so-called Privacy Shield during a nearly nine-hour meeting that ended late on Thursday (July 23).
While the legality of a separate, much more widely-used contract-based data transfer mechanism, known as Standard Contractual Clauses (SCC), was upheld, doubts about American data protection make this a shaky alternative too.
"Companies are in a pretty difficult position where the only real zero risk solution is to stop data from being transferred to the US," Mr David Dumont, a lawyer with Hunton Andrews Kurth in Brussels, said by phone.
The controversy stretches back to 2013, when former contractor Edward Snowden exposed the extent of spying by the US National Security Agency.
Privacy campaigner Max Schrems has been challenging Facebook in the courts in Ireland - where the social media company has its European base - arguing that EU citizens' data is at risk the moment it gets transferred to the US.
While the court last week said SCCs remain valid, the bar has been raised to a level that will make EU-US transfers under any tool complicated.
The protection of EU citizens' data in the US must be "essentially equivalent" to that in the 27-nation bloc, the court said.
The ruling "has catapulted us back to the past," said Mr Johannes Caspar, head of the data protection watchdog in Hamburg, Germany, who attended the meeting.
He said the ruling could even compromise data transfers to other non-EU states.
"This could overwhelm" regulators, but "we can't just sit down and not do anything," Mr Caspar said.
"It's a really difficult situation."
The transfer of personal data using SSCs "will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place," according to Friday's guidance from the European Data Protection Board, which is made up of the EU's privacy watchdogs.
In the absence of an EU-US data-transfer decision, the court put the onus on companies to adopt additional protections.
The EU regulators are "looking further into what these supplementary measures could consist of and will provide more guidance," the six-page document, which is presented as Frequently Answered Questions, said.
"Technical measures such as encryption and data minimisation could be one type of additional safeguards to be thinking about," Mr Dumont said.
The court had already struck down a trans-Atlantic data-transfer system, called Safe Harbour, in 2015 over concerns US spies could get unfettered access to EU data.
Many companies migrated to SCCs.
Since then, the bloc has put in place the General Data Protection Regulation, one of the world's strictest privacy laws.
This gives watchdogs unprecedented powers and raises potential fines for companies to as much as 4 per cent of global annual sales.
The Irish Data Protection Commission, the lead EU regulator for Facebook and many other Silicon Valley giants, said last week after the ruling that the court's concerns mean "the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable."
The EU regulators said they are "looking further into what these supplementary measures could consist of and will provide more guidance."
"I am quite aware of how difficult this all is, especially now with the coronavirus where economies" have been affected, "but we are now back in this situation and have to deal with it", Mr Caspar said.