Privacy Shield transatlantic data sharing agreement enters effect

But European privacy regulators will meet to scrutinize the new deal on July 25

After months of uncertainty, businesses will once again have a simple, legal way to export the personal information of European Union citizens to the U.S. for processing from Aug. 1.

Privacy Shield, the replacement for the defunct Safe Harbor Agreement, ensures an adequate level of protection for personal data transferred from the EU to self-certified organisations in the U.S., the European Commission ruled Tuesday morning. It plans to notify the governments of the EU's 28 member states of its adequacy decision later in the day, at which point Privacy Shield will enter effect, although it will still be a few more weeks before companies can register their compliance with it.

It's 16 years since the Commission made a similar adequacy decision regarding Safe Harbor, and nine months since the Court of Justice of the European Union overturned it, saying that an agreement could only be adequate if it provided a level of privacy protection "essentially equivalent" to that of the 1995 Data Protection Directive. Among the CJEU's objections to Safe Harbor in its October 2015 ruling, it noted that "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life."


When the first draft of Privacy Shield was published in February, its vague provisions on mass surveillance were criticized from many quarters, including the Commission's own advisors, leading to fears that it would only be a matter of time before the CJEU overturned it too.

But since then the text has been improved, and now reflects the requirements set out by the CJEU, European Commissioner for Justice Vĕra Jourová said, announcing the deal in Brussels.

"Privacy Shield is fundamentally different from Safe Harbor, because we will have an annual joint review which will make it easier to solve any problems that could arise. Since releasing the first draft of Privacy Shield in February we have been able to make it even better and clearer by taking on board the recommendations of Europe's independent data protection authorities as well as the resolution of the European Parliament," she said.

Among the improvements, she said, negotiators have "clarified better when bulk collection of data may occur and what distinguishes it from mass surveillance."

U.S. Commerce Secretary Penny Pritzker, also present, made no reference to surveillance or bulk collection, preferring to focus on the positives.

"For businesses, the framework will facilitate more trade across our borders, more collaboration across the Atlantic, and more job creating investments in our communities," she said. "For consumers, the framework will ensure you have access to your favorite online services and the latest technologies, while strongly protecting your privacy."

Business lobbyists were predictably supportive of the new deal.

"Privacy Shield sets a new high standard for EU-U.S. data transfers. It is a major privacy win for consumers and it provides legal clarity for thousands of European and U.S. firms," said Christian Borggreen, European director of Computer and Communications Industry Association, whose members include the likes of Amazon.com, Google and Microsoft.

But it's not just big business that will benefit, according to BSA The Software Alliance, a group that promotes intellectual property protection. The alternatives to Safe Harbor have been particularly burdensome for small businesses, BSA President and CEO Victoria Espinel said.

"The free flow of data is vital for the transatlantic economy. We are talking about at least half a trillion dollars' worth of commerce annually," said Spinel. "The movement of data across borders enables European and US companies to offer the best services and products to consumers. It is also essential to creating the economic growth and job creation that is so important in both the US and EU."

But Jourová's nice distinction between bulk data and mass surveillance didn't impress campaign group European Digital Rights (EDRI), nor Max Schrems, the Austrian whose complaint to the Irish Data Protection Commissioner about Facebook's handling of his data ultimately led to the CJEU ruling.

"In Annex VI of the Privacy Shield decision, the US government explicitly confirms that U.S. services conduct 'bulk collection' by using data from U.S. companies. While the U.S. highlights what it called limitations (for example for only six broad purposes), the mere possibility of such mass surveillance is contrary to the CJEU judgement," Schrems said via email.

EDRi Executive Director Joe McNamee doesn't give Privacy Shield long: "We now have to wait until the Court again rules that the deal is illegal and then, maybe, the EU and U.S. can negotiate a credible arrangement that actually respects the law, engenders trust and protects our fundamental rights," he said.

Schrems isn't planning an immediate legal challenge to Privacy Shield, but suspects that there will be no lack of possible plaintiffs.

One potential complainant stepped forward almost immediately. The Article 29 Working Party, composed of the EU's national data protection authorities, said Tuesday it is analyzing the final texts of Privacy Shield and will meet on July 25 to agree its position. The working party was critical of the early draft, in particular the way it left the door open to indiscriminate mass surveillance of Europeans' data by U.S. authorities.

Privacy Shield will take effect as soon as member states' governments are notified, something the Commission said it planned to do later Tuesday.

The U.S. Commerce department will accept Privacy Shield self-certifications from Aug. 1.

Join the PC World newsletter!

Error: Please check your email address.

Tags Privacy Shield

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?