Privacy Shield agreement signed off despite vote abstentions

EU Justice Commissioner Věra Jourová represented the EU executive in the debate. [European Commission]

EU member states today (8 July) signed off on the controversial Privacy Shield agreement for data transfers to the US, locking down the final deal after the European Commission haggled for months with the US over legal details.

Four out of 28 EU diplomats abstained from the final vote. The Commission instructed diplomats not to publicly state how they voted.

One person who voted on the agreement said the executive was “paranoid” that if it became public which countries abstained, support for Privacy Shield would be weakened.

“The Commission’s idea is that since member states are now bound to the decision, everybody should rally behind it regardless of how they voted in the committee. That’s politically difficult if it comes out that your delegation voted one way,” the source said.

The official described the executive as “very concerned that member states will not help protect Privacy Shield”.

A Commission official told that it’s standard for the voting breakdown in so-called comitology committees made up of national diplomats to be kept secret.

Privacy Shield is a replacement for the now defunct Safe Harbour agreement, which was knocked down by the European Court of Justice last October on grounds that data protection safeguards were too lax in the United States.

Safe Harbour landed in court after the Austrian lawyer Max Schrems filed a complaint against Facebook for violating the agreement.

Schrems already said he would challenge Privacy Shield in court as well because the deal doesn’t have strict enough privacy safeguards.

Commission replaces Safe Harbour with rebranded 'privacy shield'

The European Commission signed off on a new data transfer agreement with the US today (2 February) to replace the old Safe Harbour agreement.

The Commission has vowed to review the new deal once every year.

One diplomat said the countries that abstained from the vote would be “extremely vigilant” during the review.

“This is not just going to be a box-ticking exercise, this is going to be a very detailed and in-depth review. Only adjustments from the review can save this from the ECJ,” the diplomat said.

The Commission announced in February that it had struck a deal with the US to replace Safe Harbour. Since then, national data protection watchdogs and the European Parliament have pointed out cracks in the deal but only the group of diplomats from EU countries could actually topple the agreement.

Diplomats pressed the executive to make changes, which include promises that “bulk collection” of personal data once its transferred to the US will not be “mass” or “indiscriminate”.

EU Justice Commissioner Vera Jourova said earlier this year that she wanted the agreement finalised by June, but diplomats wouldn’t give the green light until the Commission improved the deal.

EU privacy watchdogs demand improvements to 'Privacy Shield'

European privacy watchdogs gave a damning verdict of the Privacy Shield, the draft deal for data transfers from the EU to the US, and warned the European Commission to shore up gaps in the new agreement on national security agencies.

The US-EU Safe Harbour agreement allowed over 4,000 companies to transfer data from the EU to the US - provided the companies guaranteed the data's security abroad. EU law considers data privacy protections to be inadequate in the US. In October 2015, the European Court of Justice (ECJ) ruled Safe Harbour to be invalid on grounds that government surveillance in the US threatens the privacy of EU citizens' data, and that there is no judicial redress for EU citizens whose data is accessed by state surveillance agencies in the US.

Since the ECJ decision, EU and US negotiators have sped up their talks to strike a new data transfer agreement. European data protection authorities from the 28 EU member states met after the ECJ decision, and asked the Commission to come up with a new deal by the end of January 2016. The data protection authorities are tasked with investigating and deciding on privacy complaints in their own member states.

Subscribe to our newsletters