EU member states today (8 July) signed off on the controversial Privacy Shield agreement for data transfers to the US, locking down the final deal after the European Commission haggled for months with the US over legal details.
Four out of 28 EU diplomats abstained from the final vote. The Commission instructed diplomats not to publicly state how they voted.
One person who voted on the agreement said the executive was “paranoid” that if it became public which countries abstained, support for Privacy Shield would be weakened.
“The Commission’s idea is that since member states are now bound to the decision, everybody should rally behind it regardless of how they voted in the committee. That’s politically difficult if it comes out that your delegation voted one way,” the source said.
The official described the executive as “very concerned that member states will not help protect Privacy Shield”.
A Commission official told euractiv.com that it’s standard for the voting breakdown in so-called comitology committees made up of national diplomats to be kept secret.
Privacy Shield is a replacement for the now defunct Safe Harbour agreement, which was knocked down by the European Court of Justice last October on grounds that data protection safeguards were too lax in the United States.
Safe Harbour landed in court after the Austrian lawyer Max Schrems filed a complaint against Facebook for violating the agreement.
Schrems already said he would challenge Privacy Shield in court as well because the deal doesn’t have strict enough privacy safeguards.
The Commission has vowed to review the new deal once every year.
One diplomat said the countries that abstained from the vote would be “extremely vigilant” during the review.
“This is not just going to be a box-ticking exercise, this is going to be a very detailed and in-depth review. Only adjustments from the review can save this from the ECJ,” the diplomat said.
The Commission announced in February that it had struck a deal with the US to replace Safe Harbour. Since then, national data protection watchdogs and the European Parliament have pointed out cracks in the deal but only the group of diplomats from EU countries could actually topple the agreement.
Diplomats pressed the executive to make changes, which include promises that “bulk collection” of personal data once its transferred to the US will not be “mass” or “indiscriminate”.
EU Justice Commissioner Vera Jourova said earlier this year that she wanted the agreement finalised by June, but diplomats wouldn’t give the green light until the Commission improved the deal.
Background
The US-EU Safe Harbour agreement allowed over 4,000 companies to transfer data from the EU to the US - provided the companies guaranteed the data's security abroad. EU law considers data privacy protections to be inadequate in the US. In October 2015, the European Court of Justice (ECJ) ruled Safe Harbour to be invalid on grounds that government surveillance in the US threatens the privacy of EU citizens' data, and that there is no judicial redress for EU citizens whose data is accessed by state surveillance agencies in the US.
Since the ECJ decision, EU and US negotiators have sped up their talks to strike a new data transfer agreement. European data protection authorities from the 28 EU member states met after the ECJ decision, and asked the Commission to come up with a new deal by the end of January 2016. The data protection authorities are tasked with investigating and deciding on privacy complaints in their own member states.