Privacy Shield, the much-debated data transfer agreement that will replace Safe Harbor, has been approved by the European Union.
The 28 member states of the EU approved the data transfer deal today following extensive debate and some controversy over the protections it provided to EU citizens’ data when transferred to the U.S. Under the terms of the new deal, Privacy Shield will be reviewed on an annual basis.
The original agreement, Safe Harbor, was struck down by the European Court of Justice (ECJ) in October of last year over concerns about how EU data was being treated once it was transferred to the U.S.
Safe Harbor provided that U.S. companies would handle European data with care once it entered the U.S but this never provided any real guarantee that the data was safe from the U.S. mass surveillance revealed by Edward Snowden in 2013. The ECJ agreed and threw the legal basis for data transfers out the window, leaving companies like Google and Facebook in legal limbo.
The new Privacy Shield allows for legally official transfers to recommence across the Atlantic once again. The European Commission has called Privacy Shield “fundamentally different” from Safe Harbor with greater protections for EU citizens’ data as U.S. companies are required to treat European data with the same protections it would have at home.
“For the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards, and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data,” said Andrus Ansip, Vice President for the Digital Single Market on the European Commission and Justice Commissioner Vera Jourova in a shared statement.
Among the new provisions of Privacy Shield is the establishment of a U.S. ombudsman who can investigate complaints from EU citizens pertaining to surveillance or data abuses at the hands of authorities.
However, critics of the deal warn that it is still toothless when it comes to truly preventing EU data getting caught up in mass surveillance once it has come under U.S. jurisdiction.
The deal is “flawed,” wrote Tomaso Falchetta, legal officer at U.K.-based digital rights group Privacy International. He stated that it fails to fully address the surveillance concerns by the ECJ in a case brought by Austrian lawyer Max Schrems last year that led to this very situation and it’s likely that the Privacy Shield deal will be challenged in the courts in the near future.
Finally, four countries abstained from the vote (reportedly Austria, Bulgaria, Croatia, and Slovenia), which may cause friction when the first annual review of Privacy Shield comes around.