Goodbye Safe Harbor, hello Privacy Shield: that’s the name given by European Union and U.S. negotiators to the deal they struck on Tuesday enabling legal transfers of personal data between the two regions.
The EU-US Privacy Shield will “protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses,” the European Commission said in a press release announcing the agreement.
Reactions were mixed, however, with some arguing the new framework fails to protect the privacy of European citizens. NSA whistleblower Edward Snowden was among the critics.
Designed to replace the Safe Harbor agreement that was struck down in October, the new deal imposes stronger obligations for U.S. companies to protect the personal data of European citizens. It also calls for stronger monitoring and enforcement by the U.S. Department of Commerce and the Federal Trade Commission, both of which will cooperate with European data-protection authorities to address any complaints by EU citizens. A dedicated ombudsman will help oversee complaints and enquiries as well.
Finally, there will be a joint annual review focused on monitoring and ensuring that commitments are upheld.
“The EU and the United States are the closest allies,” said Andrus Ansip, vice president of the EC in charge of Digital Single Market, in a press conference on Tuesday. “On a topic as important as this, we had to find common solutions. I believe this new arrangement is what Europe needs — both our citizens and our businesses will benefit from this.”
U.S. Secretary of Commerce Penny Pritzker was similarly optimistic.
“It’s been a long road, but we’ve turned the corner and now we stand together,” Pritzker said during a press call on Tuesday. “This will allow the digital economy in both the EU and the U.S. to continue to grow.”
As part of the agreement, the Department of Commerce will ensure that U.S. companies publish their commitments to protect Europeans’ privacy, making them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
Meanwhile, the U.S. has given the EU written assurances for the first time that data access for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred inside its borders. The annual joint review will include the issue of national security access, with participation by national intelligence experts from the U.S. and European Data Protection Authorities.
Coming up next, the EU College of Commissions has mandated Ansip and the European Commissioner for Justice, Consumers and Gender Equality, Vĕra Jourová, to prepare a draft “adequacy decision” in the coming weeks. That, in turn, could then be adopted by the College after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new ombudsman.
Though it was applauded by the U.S. Direct Marketing Association and Microsoft President and Chief Legal Officer Brad Smith, reactions elsewhere were decidedly less enthusiastic about the new agreement.
“We urgently need a thorough legal appraisal of the safeguards offered by the U.S.,” said Sophie in ‘t Veld, vice president and spokesperson for data protection for the Alliance of Liberal Democrats in Europe. “The legal status of these safeguards is very unclear. It is highly doubtful that they offer meaningful protection to European citizens.”
Similarly, “the emperor is trying on a new set of clothes,” said Joe McNamee, Executive Director of European Digital Rights. “Today’s announcement means that European citizens and businesses on both sides of the Atlantic face an extended period of uncertainty while waiting for this new stop-gap solution to fail.”
At least one U.S. company was also skeptical.
“European attitudes toward data privacy have not changed, and we suspect it will only be a matter of time before Safe Harbor 2.0 is challenged in court,” said Yorgen Edholm, CEO of Accellion. “Ultimately, the practice of trans-Atlantic data transfer will remain controversial as long as there remains a fundamental difference of opinion between the U.S. and the EU on what is more important: national security or data privacy. We don’t believe Safe Harbor 2.0 will end this debate.”
Meanwhile, Europe’s data protection authorities were meeting on Tuesday, a day before they are scheduled to publish an evaluation on how recent changes in U.S. law affect trans-Atlantic data transfer using alternative legal mechanisms. They will likely also offer an opinion on the Privacy Shield deal.