The EU-US Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses
The new deal comes after the EU’s top court last year struck down a previous arrangement, leaving giants such as Google and Facebook unsure whether they could transfer data back to their operations in the US.
Brussels and Washington say the new “Privacy Shield” sets out tough rules to prevent US intelligence agencies accessing Europeans’ data, with companies facing penalties if they do not meet European standards of protection.
Critics say it still fails to provide sufficient protection from American surveillance, does not provide legal redress and is likely to face challenges in court.
The EU court invalidated the earlier “Safe Harbour” deal after an Austrian activist sued Facebook in Ireland, citing US snooping practises exposed by former NSA contractor Edward Snowden.
“The EU-US Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses,” EU Justice Commissioner Vera Jourova told a press conference in Brussels.
Responding to threats of further legal action against the new deal, US Commerce Secretary Penny Pritzker said that “With new privacy protections in place, we are confident the framework will withstand further scrutiny”.
The deal will “facilitate more trade across our borders, more collaboration across the Atlantic and more job-creating investments in our communities,” Pritzker added.
Bulk data collection
Companies wanting to transfer data back from Europe to the US must “self-certify” asbeing compliant with the new deal with the US government from August 1, the EU said.
If they fail to do this, they can face fines and removal from the list.
The deal includes commitments by the US to limit the use of bulk-collected intelligence, the appointment of a US ombudsman to deal with complaints by European citizens, and fines for firms that do not comply.
The deal will also be subject to an annual review.
The old agreement, “Safe Harbour”, effectively meant that Europe treated the United States as a safe destination for internet data on the basis that Brussels and Washington adhered to similar standards.
But it was declared invalid by the European Court of Justice, citing National Security Agency documents leaked by Snowden in 2013.
Top US companies including Facebook, Google and Microsoft in particular have been eager to end the legal void, because they transfer data from their European subsidiaries to their headquarters in the United States.
John Frank, Microsoft’s vice president for EU government affairs, said Monday his firm “will sign up to the new framework as soon as possible.”
But activists and European lawmakers are highly critical. They call the deal still highly deficient in terms of protection from US government access to data, as well as safeguards from bulk data collection.
Austrian internet activist Max Schrems, who brought the original case against Facebook, said the new deal was likely to face fresh legal challenges.
“This deal is bad for users,” Schrems said in a statement, adding that it was the result of pressure from Washington.
The Article 29 Working Party, an independent European data protection watchdog which has in the last months called on the commission to improve the deal, said it will meet July 25 to finalise its stand.
But Markus Beyrer, director general of Brussels-based BusinessEurope, said the deal “will enhance legal certainty for thousands of businesses on both sides of the Atlantic while providing an adequate level of protection for citizens’ data.”
Industry group Digital Europe also welcomed the deal saying its members, which include firms like Google and IBM, are ready to begin the re-certification process opening August 1.