BRUSSELS – New rules governing trans-Atlantic data transfers were formally approved Tuesday, months after Europe’s top court ruled against the previous arrangements amid concerns over the surveillance activities of U.S. intelligence agencies.
The European Union and the U.S. say the new Privacy Shield imposes stricter obligations on American companies, including the likes of Facebook and Apple, to safeguard the personal data of individuals, from health matters through to social media activities.
Critics argue the new framework, which comes into force Aug. 1, doesn’t go far enough, that consumer protections are not strong enough and that the possibility of blanket surveillance from U.S. agencies remains. Another court challenge to the new arrangements is widely anticipated.
As part of the deal, the U.S. government has promised that any access on national security grounds by public authorities to personal data transferred under the new arrangements will be subject to “clear conditions, limitations, oversight and preventing generalized access.”
The two sides say that the deal also includes stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission, including increased co-operation with European authorities.
Under the terms of the new deal, there will be an annual joint review of the pact and those who think their data has been misused have a route for complaint. And the U.S. will appoint a new official — an ombudsman based at the State Department — responsible for following up on European complaints.
“The approval of the Privacy Shield is a milestone for privacy at a time when the sharing of data is driving growth in every sector, from advanced manufacturing to advertising,” U.S. Commerce Secretary Penny Pritzker said.
“For businesses, the free flow of data makes it possible for a startup in Silicon Valley to hire programmers in the Czech Republic, or a manufacturer in Germany to collaborate with a research lab in Tennessee,” she added.
The deal potentially brings an end to a period of uncertainty for businesses following last October’s decision by the European Court of Justice that the previous Safe Harbor pact was invalid because it did not adequately protect consumers when their data was stored in the U.S.
The pact, which had been used by around 4,500 companies, had allowed the easy transfer of data from the EU by having U.S. companies promise to provide privacy protections equivalent to those in the EU. The EU court’s ruling that the pact was invalid opened up the possibility that data privacy officers across the 28-country EU might be inundated by complaints from consumers worried about their privacy.
“The adoption of Privacy Shield will enhance legal certainty for thousands of businesses on both sides of the Atlantic while providing an adequate level of protection for citizens’ data,” Markus J. Beyrer, the director general of lobby group BusinessEurope.
Concerns over data transfers had been stoked by the spying revelations made by Edward Snowden, a former contractor at the U.S. National Security Agency. Snowden’s revelations prompted the complaint to the court from Max Schrems, an Austrian law student.
Schrems said the new arrangements don’t go far enough and argued that the requirements on the U.S. authorities are not equivalent to those in the EU.
“It is little more than a little upgrade to Safe Harbor,” he said. “It is very likely to fail again. … This deal is bad for users, which will not enjoy proper privacy protections, and bad for businesses, which have to deal with a legally unstable solution.”
Schrems’ view was echoed by Jan Philipp Albrecht, a European Parliament lawmaker for The Greens, who said the European Commission “signed a blank check for the transfer of personal data of EU citizens to the U.S., without delivering equivalent data protection rights.”
As a result, there is widespread speculation that another challenge will emerge.
Professor Felix Wu of Cardozo Law School in New York said “someone is surely going to challenge it” but that on balance he anticipated the European Court would back Privacy Shield.
Scott Vernick, a partner and head of data security at Fox Rothschild LLP in Philadelphia, also thinks “there’s a better than even chance” the new deal will withstand a legal challenge.
“It seems to me you will always have hard-line interests spoiling for a fight because they have a very particular view about privacy protections available in the EU as against the U.S.,” he said.
Both U.S. Commerce Secretary Pritzker and Vera Jourova, the European Commissioner for Justice, said they are confident the new deal will stand up in court.
“My confidence stems from the fact that we have designed the rules of Privacy Shield based on the previous Court judgment,” Jourova said.