The European Commission has formally adopted a new agreement governing the transfer of data between Europe and the United States, more than eight months after the longstanding "Safe Harbor" transfer deal was invalidated amid concerns over US surveillance. The new agreement, known as the EU-US Privacy Shield, places safeguards on how US authorities can access the data of European consumers, and creates a framework for resolving cases where Europeans feel that their personal data has been misused. The data transfer pact goes into effect today, and US companies will be able to certify their compliance as of August 1st.
The EU-US Privacy Shield is seen as critical to facilitating the cross-border data flows that major tech companies and other industries rely upon to carry out trans-Atlantic business. EU member states formally signed on to the agreement last week, but as The Guardian reports, Austria, Slovenia, Bulgaria, and Croatia abstained from the vote. Representatives of Austria and Slovenia still had doubts over whether the deal would protect their citizens' data from US surveillance, the paper reported.
"a robust framework"
"We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible," Andrus Ansip, vice president for the European Commission's Digital Single Market initiative, said in a statement Tuesday. "Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions."
Under the agreement, US companies will have to self-certify that they meet higher data protection standards, and the US Department of Commerce will be charged with conducting "regular reviews" to ensure compliance. The US has also assured EU member states that there will be "clear limitations, safeguards and oversight mechanisms" governing how law enforcement and federal agencies access the data of Europeans, and that bulk data collection would only be carried out "under specific preconditions and needs to be as targeted and focused as possible," according to the European Commission.
Europeans who feel that their privacy rights have been violated can file complaints with national data protection agencies, who will then forward them to the Department of Commerce or the Federal Trade Commission in the US, or as a last resort, through an "arbitration mechanism." Disputes concerning national security will be handled by an ombudsperson in the US, who will be independent from federal security agencies.
Tech companies have welcomed the new deal, saying that it protects user privacy while allowing for trans-Atlantic trade. "We are pleased that the Privacy Shield mechanism has received broad support from Member States," said John Higgins, director general of DigitalEurope, a trade group that represents companies including Apple, Google, and IBM. In a statement released last week, Higgins added that the group's "members are ready to implement the new framework and meet the compliance challenge that the strengthened provisions demand from companies."
"an opaque document that will be a field day for law firms"
"Safe Harbor fell short of what European data protection rules required, and I believe the Privacy Shield now meets each of those requirements," John Frank, Microsoft's vice president of EU government affairs, said in a blog post published Monday.
But some civil liberties groups are wary of Privacy Shield, questioning whether it will have any meaningful impact on consumer privacy. Privacy International, a London-based watchdog, has expressed concerns over the new deal after a leaked version was published online last week, describing it in a post as "an opaque document that will be a field day for law firms." The organization said that its safeguards on mass surveillance provide "no meaningful legal protections," meaning that "any promises today can be easily be undermined tomorrow," and it questioned the independence of the ombudsperson oversight mechanism in the US. Privacy International added that although the agreement does "contain some improvements" regarding data protection for Europeans, its basic principles "still fall below what is expected to protect the rights of individuals."
"In short: new 'Shield', old problems," Tomaso Falchetta, legal officer at Privacy International, said in an email on Tuesday. "Given the flawed premises – trying to fix data protection deficit in the US by means of government’s assurances as opposed to meaningful legislative reform – it is not surprising that the new Privacy Shield remains full of holes and hence offers limited protection to personal data," Falchetta added.
"Sadly, for both privacy and for business, this agreement helps nobody at all," Joe McNamee, executive director of European Digital Rights (EDRi), an association of civil and human rights organizations, said in a statement on Tuesday. "We now have to wait until the Court again rules that the deal is illegal and then, maybe, the EU and US can negotiate a credible arrangement that actually respects the law, engenders trust and protects our fundamental rights."