The controversial Privacy Shield agreement, which was signed today (12 July), forced the United States to be unusually transparent about the operations of its intelligence agencies, a top American official has claimed.
The European Commission inked the controversial Privacy Shield agreement for data transfers to the US today. Companies will be able to sign onto the deal starting 1 August.
US Secretary of Commerce Penny Pritzker and EU Justice Commissioner Věra Jourová defended the new agreement against criticism that it won’t stand up in court.
Privacy Shield took months of negotiations and was blasted by EU privacy watchdogs for having shoddy data protection safeguards.
Pritzker told journalists in Brussels that the US government bent over backwards to meet the EU’s demands for a stricter deal, including a guarantee that if personal data is collected in bulk once its transferred to the US, it can’t be “mass” or “indiscriminate”.
“It’s quite unusual how transparent we’re being in terms of how our intelligence communities operate,” Pritzker said.
Under an Obama administration directive, bulk collection of data is only allowed in six cases, although critics argue they’re loosely defined. They include in cases of terrorism, cybersecurity and espionage.
National diplomats voted to approve the deal last Friday, although four countries abstained.
Critics of Privacy Shield say the agreement won’t stand up in court and is likely to land at the European Court of Justice (ECJ) again, like its predecessor, the Safe Harbour argument. Safe Harbour was ruled illegal by an ECJ decision last October.
Companies will be able to sign up to Privacy Shield. More than 4,000 companies used Safe Harbour to transfer data to the US and switched to other legal agreements after October’s decision, including model contract clauses and binding corporate rules.
Google has already announced it would use Privacy Shield once it’s up and running.
National privacy watchdogs will meet 25 July in Brussels to agree on how they’ll enforce the new deal.
Once the United Kingdom leaves the EU, it will also have to negotiate a similar arrangement in order for companies to continue transferring data from the bloc.
Jourová told reporters today that it was still early to say whether the EU would give the UK such a deal, which would guarantee that its data protection laws meet EU standards.
The UK data protection office said British companies will still need to respect the sweeping new EU data protection regulation set to go into effect in 2018, but the UK government will decide whether or not to enforce the law after it leaves the EU.
Background
The US-EU Safe Harbour agreement allowed over 4,000 companies to transfer data from the EU to the US - provided the companies guaranteed the data's security abroad. EU law considers data privacy protections to be inadequate in the US. In October 2015, the European Court of Justice (ECJ) ruled Safe Harbour to be invalid on grounds that government surveillance in the US threatens the privacy of EU citizens' data, and that there is no judicial redress for EU citizens whose data is accessed by state surveillance agencies in the US.
Since the ECJ decision, EU and US negotiators have sped up their talks to strike a new data transfer agreement. European data protection authorities from the 28 EU member states met after the ECJ decision, and asked the Commission to come up with a new deal by the end of January 2016. The data protection authorities are tasked with investigating and deciding on privacy complaints in their own member states.