European and U.S. negotiators agreed a data pact on Tuesday that should prevent European Union regulators from restricting data transfers by companies such as Google and Amazon across the Atlantic.
The European Union and the United States have been racing to replace the Safe Harbour framework that was outlawed by a top EU court last year over concerns about U.S. mass surveillance, leaving thousands of companies in legal limbo.
The announcement of the pact, which still requires political approval, coincides with two days of talks in Brussels, where European data protection authorities were poised to restrict data transfers unless a deal was clinched. The European Commission said that the new Privacy Shield would place stronger obligations on U.S. companies to protect Europeans' personal data and ensure stronger monitoring and enforcement by U.S. agencies.
"We have for the first time received detailed written assurances from the United States on the safeguards and limitations applicable to U.S. surveillance programmes," Commission Vice-President Andrus Ansip told a news conference. "On the commercial side, we have obtained strong oversight by the U.S. Department of Commerce and the Federal Trade Commission of companies' compliance with their obligations to protect EU personal data."
The United States will create an ombudsman within the State Department to deal with complaints and enquiries forwarded by EU data protection agencies. There will also be an alternative dispute resolution mechanism to resolve grievances and a joint annual review of the accord. European data protection authorities will also work with the U.S. Federal Trade Commission to police the system.
The accord received a thumbs up from lobbying groups The Information Technology Industry Council, BSA The Software Alliance and DigitalEurope, as well Paris-based International Chamber of Commerce and BusinessEurope. "The free flow of data between the EU and the U.S. is the most important in the world. This agreement is essential because it provides a reliable framework for international data transfers," BusinessEurope Director General Markus Beyrer said.
However, Max Schrems, the Austrian law student whose court case against Facebook in Ireland sank Safe Harbour, expressed doubts about the validity of the pact, saying on his website that he is not sure whether the system would stand up to legal challenge. European Digital Rights, an umbrella group of digital civil rights bodies, described the agreement as flawed.
"The emperor is trying on a new set of clothes. Today's announcement means that European citizens and businesses on both sides of the Atlantic face an extended period of uncertainty while waiting for this new stop-gap solution to fail," Executive Director Joe McNamee said. Safe Harbour had for 15 years allowed more than 4,000 companies to avoid cumbersome EU data transfer rules by stating that they complied with EU data protection law.
Cross-border data transfers are used in many industries for sharing employee information, when consumer data is shared to complete credit card, travel or e-commerce transactions, or to target advertising based on customer preferences.