After the deadline expired to reach a deal on a new Safe Harbor for the transatlantic transfer of data, the European Union and the United States reached an agreement on a "Privacy Shield."
Last October, the Court of Justice of the European Union threw out the Safe Harbor agreement between the United States and European Union, leaving a wake of uncertainty about the international transfer of data. The 15-year-old agreement required companies in the United States to self-certify that they were in compliance with the seven principles found in the European Union's standard. Administered by the U.S. Department of Commerce, the deal permitted American companies to transfer data from the European Union to the United States without violating the more stringent data laws found in the European Union.
However, after Edward Snowden's revelations about the surveillance activities of the National Security Agency (NSA), Austrian citizen Max Schrems filed a complaint that led the European Union's highest court to invalidate the Safe Harbor. Businesses were left in a quandary and the pressure on the negotiations surrounding a new agreement increased. Thereafter, the January 31 deadline to reach a new deal passed.
Bringing a measure of relief—but a new dose of uncertainty—officials announced two days later that the governments had reached an understanding. Details about the agreement, dubbed the EU-U.S. Privacy Shield, remain unclear and the parties must still hammer out the details. One issue that remains key for the European Union: limits on U.S. governmental surveillance of data.
The European Commission about the Privacy Shield issued a statement in which it revealed that the United States has promised to rein in its oversight. "For the first time, the U.S. has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms," the Commission said. "The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the U.S. under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review" conducted by the Commission and the Commerce Department.
Companies that receive personal data from Europeans must practice robust enforcement to protect the rights of EU citizens, who will be offered multiple redress possibilities. The State Department must appoint an Ombudsperson to handle complaints regarding instances of possible access by national intelligence authorities.
Moving forward with the Privacy Shield will require some effort on both sides of the pond. Lawmakers in the United States need to move along the Judicial Redress Act, a bill that would permit non-U.S. citizens to bring suit in this country over allegations of illegal governmental data surveillance. The House of Representatives passed the bill in October but it remains pending in the Senate Judiciary Committee.
In Europe, the Article 29 Working Party (WP29), composed of EU privacy regulators, released a statement requesting additional information before the group will sign off on the deal. The WP29 "looks forward to receiving the relevant documents in order to know precisely the content and the legal bindingness of the arrangement and to assess whether it can answer the wider concerns raised by the Schrems judgment as regards international transfers of personal data," the group said.
The WP29 highlighted "four essential guarantees for intelligence activities" to garner its approval: the processing of data should be based on clear, precise and accessible rules; the objectives of the processing should be necessary and proportionate; an independent oversight mechanism should exist that is both effective and impartial; and effective remedies must be made available to the individual.
To read the EU Commission's press release, click here.
To read the Judicial Redress Act, click here.
To read the WP29 statement, click here.
Why it matters: Work will still be required to finalize the agreement. While the EU Commission, with the assistance of the WP29, prepares a draft "adequacy decision" that will explain the agreement for approval by the European Union's College of Commissioners, officials in the United States will put in place the new framework, the monitoring mechanisms, and the Ombudsperson required by the understanding. But even an agreement in principle allows businesses to breathe a sigh a relief. "This new agreement provides certainty to American and European businesses that trans-Atlantic data flows may continue and confirms the establishment of clear safeguards for protecting individual privacy rights," Direct Marketing Association Vice President of Advocacy Christopher Oswald said in a statement. Federal Trade Commission Chair Edith Ramirez agreed. "We are pleased that U.S. and European Commission officials have reached an agreement in principle which, once finalized, will allow for the continuation of an important mechanism for transatlantic data transfers," she said in a statement. "Under the new agreement, the EU-U.S. Privacy Shield, the Federal Trade Commission will continue to prioritize enforcement of the framework as part of our broader commitment to protect consumers' personal information and privacy. We will continue to work closely with our European partners to ensure consumer privacy is protected on both sides of the Atlantic."