BRUSSELS – The European Union and the United States struck a deal Tuesday over data-sharing that will allow the likes of Facebook and Apple to continue sending people’s information across the Atlantic — but a legal challenge to the pact is widely anticipated.
The sides had been trying to forge an agreement since October, when Europe’s top court ruled against the previous pact — known as Safe Harbor — amid concerns that Europeans’ personal data stored by companies in the U.S. might be exposed to spying by U.S. intelligence agencies.
The new deal, once put in place, potentially brings an end to a period of uncertainty that had raised the prospect of legal challenges by individuals across the 28-country EU worried about privacy.
“Our people can be sure that their personal data is fully protected,” said Andrus Ansip, the European Commissioner responsible for the digital single market. “Our businesses, especially the smallest ones, have the legal certainty they need to develop their activities across the Atlantic.”
Ansip said the new framework, which will be known as EU-US Privacy Shield, will ensure the “right checks and balances” for European citizens and added that it “offers significant improvements” to the previous deal, which had been struck in the early days of the Internet at the turn of the century.
“This solution is much better than the one we had in the year 2000,” he said.
Under the new deal, there will be an annual joint review of the data-sharing pact, with the first expected sometime next year. The U.S. has also promised to appoint a new official — a so-called ombudsman based at the State Department — responsible for following up on complaints upon referral from EU data protection officers.
“It’s Safe Harbor with teeth,” said Dyann Heward-Mills, Head of Data Protection at the legal firm Baker & McKenzie in London. “I think this is good for business certainty and consumer trust.”
In its October decision, the European Court of Justice declared the Safe Harbor pact was invalid because it did not adequately protect consumers when their data was stored in the U.S., in light of the spying revelations made by Edward Snowden, a former contractor at the U.S.’s National Security Agency. Snowden’s revelations had prompted the complaint to the court from an Austrian law student, Max Schrems.
The pact, which had been used by around 4,500 companies, had allowed the easy transfer of data from the EU by having U.S. companies promise to provide privacy protections equivalent to those in the EU. The EU court’s ruling that the pact was invalid opened up the possibility that data privacy officers across the EU might be inundated by complaints by consumers worried about their privacy.
Vera Jourova, the European Commissioner for Justice, said the deal is a landmark as for the first time ever the U.S. has given the EU “binding assurances” that the access of public authorities for national security purposes “will be subject to clear limitations, safeguards and oversight mechanisms.”
Also for the first time, she said EU citizens will benefit from “redress mechanisms” in this area.
“The U.S. has assured that it does not conduct mass or indiscriminate surveillance of Europeans,” she said.
Jourova added that she’s confident that the new arrangements will withstand any future court challenges as the discussions used the court ruling to help in the “formulation” of the new arrangements.
She estimated it could take up to three months to make the deal binding, while U.S. Secretary of Commerce Penny Pritzker said she expected it to be in effect in a matter of weeks. Pritzker said “it’s been a long road but we’ve turned the corner.”
Given the role cross-border data-flows play in a modern economy, the news of the deal was met with relief by many.
“We welcome the agreement, which will provide strong privacy safeguards for consumers and legal certainty for the thousands of companies that depend on trans-Atlantic data flows,” said Christian Borggreen, international policy director at the U.S.-based Computer & Communications Industry Association.
Others were a bit more cautious.
The Washington, D.C.-based Center for Democracy & Technology, which did a quick analysis of the announced framework, said in a statement that despite the framework’s improvement for EU citizens’ data privacy it would likely face trouble in court.
“Absent reform of U.S. surveillance law, it is highly unlikely that the Privacy Shield agreement will be deemed sufficient by the (European) Court of Justice,” said Jens-Henrik Jeppesen, the body’s director of European affairs.
He called on the U.S. Congress to swiftly move to reform its surveillance law and for EU member states to narrow their own surveillance laws and practices to also be more aligned with international human rights norms.
And Sophie In’t Veld, spokesperson for data protection for the ALDE alliance of liberals in the European Parliament, said a legal appraisal of the safeguards offered by the U.S. is needed.
“It is highly doubtful that they offer meaningful protection to European citizens, or if they meet the standards set by the European Court of Justice,” she said.
She noted that the assurances seem to rely exclusively on political commitment, instead of legal acts so “any change in the political constellation in the U.S. may undo the whole thing.”
Tami Abdollah in Washington contributed to this report.