The European Commission signed off on a new data transfer agreement with the US today (2 February) to replace the old Safe Harbour agreement.
EU Justice Commissioner Vera Jourova and Commission Vice President announced the new deal, rebranded as the ‘EU-US privacy shield’, after a cabinet meeting of the EU executive today (2 February) in Strasbourg.
The new agreement comes after months of hurried negotiations between EU and US officials that became urgent after the European Court of Justice (ECJ) ruled the Safe Harbour invalid in October.
At a meeting of the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) Committee just yesterday evening (1 February), Jourova said a new agreement hadn’t been sealed yet.
The new arrangement was minted this afternoon. It will go into effect after the deal is formally drafted, which Jourova estimated could take roughly three months.
Jourova and Ansip insisted the agreement will hold up if its challenged again by the ECJ.
Ansip said the agreement is “robust and offers significant improvements compared to the previous scheme”.
The Commission will review the privacy shield annually with the US Department of Commerce, which manages the agreement in the US.
“For the first time ever the US has given the EU binding assurance that the access of public authorities for law enforcement of national security will be subject to clear limitations, safeguards and oversight mechanisms,” Jourova said.
The office of the director of national intelligence in the White House would guarantee those safeguards in writing. Jourova called that a “unique step” by the US to restore trust from the EU, which was in lost in some countries after spying revelations.
“The US has ruled out mass surveillance on the personal data transferred to the US under this new arrangement,” she added.
An ombudsman will be designated to oversee privacy complaints from EU citizens and work out of the US State Department.
In a conference call with journalists shortly after the Commission announcement, US Secretary of Commerce Penny Pritzker confirmed that the Federal Trade Commission, the US federal privacy authority, will work with EU data protection watchdogs to monitor complaints against the new arrangement.
“We’re confident that we’ve met the requirements of the ruling as well as the various issues that have arisen over the past two years,” Pritzker said.
“We’ve structured the negotiations around the case so that we could make sure that we address the various provisions as delineated in the opinion,” she added.
A senior official at the Department of Commerce told reporters “there would be a period of time when companies are going to have a bit of leeway” before they’re required to comply with the terms of the agreement.
The privacy shield will still include an exception for national security — a point negotiators squabbled over. The ECJ verdict blasted the US intelligence agencies for conducting mass surveillance of EU citizens’ data in the US.
The US official said that the ombudsman in the State Department would be “outside of the intelligence community” and that intelligence agencies’ requests to access EU citizens’ data could be disclosed according to US law.
National data protection authorities from EU member states are meeting today and tomorrow to agree on how they’ll handle privacy complaints and data transfer requests under the new agreement with the US.
Jourova said today that she has briefed Isabelle Falque-Pierrotin, president of the group of EU privacy watchdogs, on the new deal.
Christian Borggreen, international policy director of the Computer & Communications Industry Association (CCIA): "We welcome the agreement, which will provide strong privacy safeguards for consumers and legal certainty for the thousands of companies that depend on transatlantic data flows. We commend the European Commission and U.S. negotiators for agreeing on a strengthened framework, which we will now examine in further detail. We call on European Data Protection Authorities to endorse this new and strengthened framework and give time for Safe Harbour companies to transition. We also urge that existing commercial data transfer mechanisms remain viable."
German MEP Jan Philipp Albrecht (Green): "This new framework amounts to little more than a reheated serving of the pre-existing Safe Harbour decision. The EU Commission's proposal is an affront to the European Court of Justice, which deemed Safe Harbour illegal, as well as to citizens across Europe, whose rights are undermined by the decision. The proposal foresees no legally binding improvements. Instead, it merely relies on a declaration by the US authorities on their interpretation of the legal situation regarding surveillance by US secret services, as well as the creation of an independent but powerless Ombusman, who would assess citizens' complaints. [...] If this framework is adopted unchanged, it can be expected that member states' data protection authorities will exercise the new powers granted to them via the European Court ruling to subject any data transfers to additional security measures."
John Higgins, director general of trade association DigitalEurope: “We hope a new Decision will be presented shortly and that it will re-establish a sustainable path for data transfers between the EU and US while safeguarding data privacy and bringing legal clarity to businesses. We ask Europe’s DPAs to view this signal from the European Commission as a sign of good faith and to hold off with any potential enforcement action until the new agreement has been fully implemented. While they are assessing the replacement for Safe Harbour, we urge Europe’s DPAs to continue to honour the use of other transfer mechanisms, such as binding corporate rules (BCRs) and model contract clauses (MCCs), so that data transfers to the US can continue unimpeded.”
Dean Garfield, president and CEO of lobby association Information Technology Industry Council (ITI): "Once fully enacted, this agreement will provide a basis for companies to reliably move data across the Atlantic, while upholding citizens' fundamental rights to privacy and data protection."
Susan Danger, managing director of the American Chamber of Commerce's EU office: "This new framework gives business the necessary confidence to continue to invest in the transatlantic marketplace. It is a step in the right direction towards rebuilding trust and confidence for citizens and business alike."
The US-EU Safe Harbour agreement allowed over 4,000 companies to transfer data from the EU to the US - provided the companies guaranteed the data's security abroad. EU law considers data privacy protections to be inadequate in the US. In October 2015, the European Court of Justice (ECJ) ruled Safe Harbour to be invalid on grounds that government surveillance in the US threatens the privacy of EU citizens' data, and that there is no judicial redress for EU citizens whose data is accessed by state surveillance agencies in the US.
Since the ECJ decision, EU and US negotiators have sped up their talks to strike a new data transfer agreement. European data protection authorities from the 28 EU member states met after the ECJ decision, and asked the Commission to come up with a new deal by the end of January 2016. The data protection authorities are tasked with investigating and deciding on privacy complaints in their own member states.
European Commisison: press release on EU-US privacy shield (2 February 2016)