The Privacy Shield commercial data transfer pact gained approval from EU governments today.
With Safe Harbor agreements failing in February, this level of approval should pave the way for it to be adopted from Tuesday 12 July. Privacy Shield will underpin over $250 billion dollars of transatlantic trade in digital services by facilitating cross-border data transfers that are crucial to international business.
Commission vice-president Andrus Ansip and Justice Commissioner Vera Jourova said in a statement that the EU-US Privacy Shield “will ensure a high level of protection for individuals and legal certainty for business.”
“It is fundamentally different from the old 'Safe Harbor': it imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice,” they said.
“For the first time, the US has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens' data. Last but not least, the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms.”
Safe Harbor was in place for 15 years until it was declared to be invalid in October 2015, with Privacy Shield agreed upon in February 2016 and revised by the Article 29 Working Party later that month.
Outgoing Information Commissioner Christopher Graham said in April that he “wished we had been involved” in discussions around Privacy Shield, and that it would have been sensible if the European Court of Justice and USA had sat down and asked the important questions about the proposal, and asked questions about the lack of clarity around the documentation and the justification for bulk data collection.
Privacy Shield will see the USA create an ombudsman position within the State Department to field complaints from EU citizens about US spying, and it has ruled out indiscriminate mass surveillance of Europeans' data.
Research by Blue Coat Systems of 6044 people revealed that the majority of EU workers polled do not trust the United States of America (USA) to store or host their data, indicating that the decisions of the European Court of Justice to strike down the Safe Harbor agreement is supported by European citizens. It found that 9% of respondents would trust their work data to be stored or hosted in the USA, 13% of Brits trust the USA when compared with those surveyed in France and Germany; German levels of trust in the USA drop to 3%.
Phil Lee, partner at Field Fisher, said: “Like Safe Harbor, the Privacy Shield relies on companies self-certifying their compliance. That's sure to be controversial – Safe Harbor didn't have a good track record of self-certified companies complying with the commitments they made."
"Privacy Shield is, essentially, an amped-up version of Safe Harbor: it builds off very similar principles, but adds more details and controls. In many ways it bears a lot of similarities to Binding Corporate Rules, except that it relies on self-certification rather than regulatory authorization and only allows transfers to the US rather than worldwide.”
Kuan Hon, consultant lawyer at Pinsent Masons, said that if Privacy Shield is adopted, then it will likely be challenged by activists or data protection authorities.
“But it depends on what concessions the Commission managed to get from the US - especially on mass surveillance” Hon said. “If the Privacy Shield adequacy decision is challenged, the Court of Justice of the European Union (CJEU) is likely to expedite the hearing given the importance of this issue. Ultimately the CJEU will have the final say here, and at this stage we can’t predict whether they would uphold the Privacy Shield decision or invalidate it, and if so on what grounds.”
However techUK welcomed the announcement, calling it “critical for the future of Europe’s data-driven economy”.
Charlotte Holloway, associate director of policy at techUK, said: “This is a major step forward for restoring certainty and a stable legal footing for transatlantic data flows. We look to this new deal to boost business confidence and provide a strong platform for UK scaling businesses and international companies alike. The Commission is to be applauded for their hard work to address the range of issues raised by Europe’s Data Protection Authorities."
“Whilst the coming months will see much discussion on future options for the UK’s data environment in a post-Brexit world, today’s agreement underlines the importance of data flows to transatlantic trade. We urge policymakers to continue to keep front of mind that data and trade go hand in hand in today’s global economy.”