The majority of EU member states have voted for the EU-US Privacy Shield, the framework for transatlantic data flows between the two regions. Four of the 28 states abstained to vote, however - Austria, Slovenia, Croatia, and Bulgaria.
Last year, the European Court of Justice ruled the Safe Harbour agreement invalid after Austrian Max Schrems sued Facebook in the wake of Edward Snowden’s surveillance revelations.
This left companies in a legal limbo when it came to transatlantic data transfers, with Privacy Shield proposed as the solution. But the framework was initially rejected by the EU in May after concerns that it did not do enough to curb US surveillance powers.
“The EU-US Privacy Shield will ensure a high level of protection for individuals and legal certainty for business,” Vice-President Ansip and Commissioner Jourová said in a joint statement.
“It is fundamentally different from the old ‘Safe Harbour’: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.
“For the first time, the US has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data.”
DigitalEurope, the tech industry lobby group that includes the likes of Google, Apple, AWS and some 10,000 other corporations, welcomed the news.
John Higgins, director general, said: “We are pleased that the Privacy Shield mechanism has received broad support from Member States. While negotiations have not been easy, we congratulate the European Commission and the US Department of Commerce on the hard work over the past months aimed at restoring trust in data transfers between the EU and US.
“Negotiators have diligently worked to address the concerns about the original draft Privacy Shield voiced by the EU’s Data Protection Authorities. The final text offers greater clarity on data retention, strengthened obligations for onward transfers of data to third countries, applicability of the mechanism to EEA countries, clarity on the autonomy and activities of the Ombudsperson and assurances on bulk collection.
Higgins added: “our members are committed to ensuring a high level of data protection when executing transatlantic data transfers. Our members are ready to implement the new framework and meet the compliance challenge that the strengthened provisions demand from companies.”
“We hope that the Privacy Shield will ease some of the recent pressure on alternative transfer mechanisms, particularly standard contractual clauses, so that Europe can get back to focusing on how international data flows can play a part in contributing to economic growth.”
Giving a US perspective, former FTC Commissioner Julie Brill wrote in Euractiv: “Once Privacy Shield is adopted, the State Department will create a new Ombudsperson position to process any complaints by European citizens or data protection authorities about US signals intelligence practices.”
Some, however, have raised concerns that Privacy Shield differs only slightly from Safe Harbour, with ’European Digital Rights’ member Privacy International saying that “the ’new’ Privacy Shield looks very much like the old one.”
Meanwhile, Ashley Winton, UK head of data protection and privacy at Paul Hastings LLP & Chairman of the UK Data Protection Forum, has said that while Privacy Shield has “gone some way to addressing the serious concerns of the Article 29 Working Party, the EU Parliament and the EDPS… there is still a significant risk that it will be challenged in European courts.”
He added that “this risk is particularly acute for businesses with operations in the post-Brexit EU, as they continue to spend valuable time and money on preparing for the unknown. However, those companies processing personal data under English law jurisdiction should enjoy the post-Brexit legal environment of data protection and privacy, where the chance of legal challenge is much reduced.
“For now, interested parties are awaiting the Commission’s explanation about how the US privacy law system is now a satisfactory equivalent, that data subjects have real rights against disproportionate processing in the US, and that if there is disproportionate or illegal processing then citizens can have their personal data deleted and ultimately get redress in an appropriate court.”
The Privacy Shield framework now has to be approved by the European Commission, something that is expect to happen next week. Update: This has now happened, and Privacy Shield has been fully approved.
Microsoft welcomed the news, with John Frank, VP of EU Government Affairs, saying:
“Safe Harbor fell short of what European data protection rules required, and I believe the Privacy Shield now meets each of those requirements. The Privacy Shield secures Europeans’ right to legal redress, strengthens the role of data protection authorities, introduces an independent oversight body, and it clarifies data collection practices by U.S. security agencies. In addition, it introduces new rules for data retention and onward transfer of data.”
Member of the European Parliament from the Alliance ’90/The Greens, Jan Philipp Albrecht, was less positive, saying:
“The Commission has today signed a blank cheque for the transfer of personal data of EU citizens to the US, without delivering equivalent data protection rights. The ‘Privacy Shield’ framework does not seem to address the concerns outlined by the European Court of Justice in ruling the Safe Harbour decision illegal. In particular the individual rights of consumers are still too weak and blanket surveillance measures are still in place. In this context, the Commission should not be simply accepting reassurances from the US authorities but should be insisting on improvements in the data protection guaranteed to European consumers.
“The European Parliament already underlined concerns about the lack of general data protection provisions in the US when the initial Safe Harbour decision was concluded in 2000. Independent data protection authorities are still lacking in the US. EU justice commissioner Jourova must now make clear that, once the EU’s new General Data Protection Regulation enter into force in 2018, there will also be a need to revise the Privacy Shield decision.”
Max Schrems, the man who first led to Safe Harbour’s destruction, told Fortune:
“It’s the same as Safe Harbor with a couple of additions, and it’s going to fail like the one before. It’s better than Safe Harbor, obviously, but far from what the ECJ has asked for.”