Governments across the European Union have finally given the green light to a new deal on how consumer data must be transferred with the United States, ending months of delay caused by concern over US surveillance.
Privacy Shield, the new commercial data transfer pact, was provisionally agreed by the EU and the US in February and will come into effect on Tuesday.
The EU’s top court had struck down the previous data transfer agreement, Safe Harbour, on concerns about intrusive US surveillance – leaving companies, including Google, Facebook and MasterCard, in legal limbo. Representatives of European Union member states mostly voted in favour of the EU-US Privacy Shield, but there were abstentions from Austria, Slovenia, Bulgaria and Croatia. Austria and Slovenia have voiced concerns that the pact does not go far enough to secure their citizens’ privacy.
The new framework will underpin over $250bn of transatlantic trade in digital services annually by facilitating cross-border data transfers that are crucial to international business. “Today member states have given their strong support to the EU-US Privacy Shield, the renewed safe framework for transatlantic data flows,” Commission vice-president Andrus Ansip and justice commissioner Vera Jourova said in a statement.
The Privacy Shield seeks to strengthen the protection of Europeans whose data is moved to US servers by giving EU citizens greater means to seek redress in case of disputes. For 15 years Safe Harbour allowed both US and European firms to bypass tough EU data transferral rules by stating they complied with European privacy standards when storing information on US servers.
Cross-border data transfers by businesses include payroll and human resources information as well as lucrative data used for targeted online advertising, which is of particular importance to technology companies. Industry group DIGITALEUROPE which represents Apple, Google, IBM and others, expressed relief at Friday’s vote, saying it would restore trust in data transfers between the EU and United States. “Our members are ready to implement the new framework and meet the compliance challenge that the strengthened provisions demand from companies,” said John Higgins, director general of the group.
TechUK, which represents 900 firms in the UK, described Privacy Shield as a “restoring a stable legal footing”. “The coming months will see much discussion on future options for the UK’s data environment in a post-Brexit world, today’s agreement underlines the importance of data flows to transatlantic trade,” said Charlotte Holloway, the group’s associate director of policy. “We urge policymakers to continue to keep front of mind that data and trade go hand in hand in today’s global economy.”
Brussels and Washington intensified negotiations to hammer out a replacement for Safe Harbour after the Court of Justice of the European Union in October declared it invalid because it did not sufficiently protect Europeans’ data from US snooping. Revelations three years ago from former US intelligence contractor Edward Snowden of mass US surveillance practices caused political outrage in Europe and stoked mistrust of big US tech companies.
“It (the Privacy Shield) is fundamentally different from the old Safe Harbour: it imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice,” Ansip and Jourova said. The United States will create an ombudsman within the state department to field complaints from EU citizens about US spying and has ruled out indiscriminate mass surveillance of Europeans’ data. EU data protection authorities in April demanded that the framework be improved, citing concerns with the leeway they said it left for the United States to collect data in bulk.