After months of uncertainty, businesses will once again have a simple, legal way to export the personal information of European Union citizens to the U.S. for processing from Aug. 1.
Privacy Shield, the replacement for the defunct Safe Harbor Agreement, ensures an adequate level of protection for personal data transferred from the EU to self-certified organisations in the U.S., the European Commission ruled Tuesday morning. It plans to notify the governments of the EU's 28 member states of its adequacy decision later in the day, at which point Privacy Shield will enter effect, although it will still be a few more weeks before companies can register their compliance with it.
It's 16 years since the Commission made a similar adequacy decision regarding Safe Harbor, and nine months since the Court of Justice of the European Union overturned it, saying that an agreement could only be adequate if it provided a level of privacy protection "essentially equivalent" to that of the 1995 Data Protection Directive. Among the CJEU's objections to Safe Harbor in its October 2015 ruling, it noted that "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life."
When the first draft of Privacy Shield was published in February, its vague provisions on mass surveillance were criticized from many quarters, including the Commission's own advisors, leading to fears that it would only be a matter of time before the CJEU overturned it too.
But since then the text has been improved, and now reflects the requirements set out by the CJEU, European Commissioner for Justice Vĕra Jourová said, announcing the deal in Brussels.
"Privacy Shield is fundamentally different from Safe Harbor, because we will have an annual joint review which will make it easier to solve any problems that could arise. Since releasing the first draft of Privacy Shield in February we have been able to make it even better and clearer by taking on board the recommendations of Europe's independent data protection authorities as well as the resolution of the European Parliament," she said.
Among the improvements, she said, negotiators have "clarified better when bulk collection of data may occur and what distinguishes it from mass surveillance."
U.S. Commerce Secretary Penny Pritzker, also present, made no reference to surveillance or bulk collection, preferring to focus on the positives.
"For businesses, the framework will facilitate more trade across our borders, more collaboration across the Atlantic, and more job creating investments in our communities," she said. "For consumers, the framework will ensure you have access to your favorite online services and the latest technologies, while strongly protecting your privacy."
Business lobbyists were predictably supportive of the new deal.
"Privacy Shield sets a new high standard for EU-U.S. data transfers. It is a major privacy win for consumers and it provides legal clarity for thousands of European and U.S. firms," said Christian Borggreen, European director of Computer and Communications Industry Association, whose members include the likes of Amazon.com, Google and Microsoft.
But it's not just big business that will benefit, according to BSA The Software Alliance, a group that promotes intellectual property protection. The alternatives to Safe Harbor have been particularly burdensome for small businesses, BSA President and CEO Victoria Espinel said.
"The free flow of data is vital for the transatlantic economy. We are talking about at least half a trillion dollars' worth of commerce annually," said Spinel. "The movement of data across borders enables European and US companies to offer the best services and products to consumers. It is also essential to creating the economic growth and job creation that is so important in both the US and EU."
But Jourová's nice distinction between bulk data and mass surveillance didn't impress campaign group European Digital Rights (EDRI), nor Max Schrems, the Austrian whose complaint to the Irish Data Protection Commissioner about Facebook's handling of his data ultimately led to the CJEU ruling.
"In Annex VI of the Privacy Shield decision, the US government explicitly confirms that U.S. services conduct 'bulk collection' by using data from U.S. companies. While the U.S. highlights what it called limitations (for example for only six broad purposes), the mere possibility of such mass surveillance is contrary to the CJEU judgement," Schrems said via email.
EDRi Executive Director Joe McNamee doesn't give Privacy Shield long: "We now have to wait until the Court again rules that the deal is illegal and then, maybe, the EU and U.S. can negotiate a credible arrangement that actually respects the law, engenders trust and protects our fundamental rights," he said.
Schrems isn't planning an immediate legal challenge to Privacy Shield, but suspects that there will be no lack of possible plaintiffs.
One potential complainant stepped forward almost immediately. The Article 29 Working Party, composed of the EU's national data protection authorities, said Tuesday it is analyzing the final texts of Privacy Shield and will meet on July 25 to agree its position. The working party was critical of the early draft, in particular the way it left the door open to indiscriminate mass surveillance of Europeans' data by U.S. authorities.
Privacy Shield will take effect as soon as member states' governments are notified, something the Commission said it planned to do later Tuesday.
The U.S. Commerce department will accept Privacy Shield self-certifications from Aug. 1.