European citizens will be protected from the “indiscriminate mass surveillance” activities of the US government under the terms of a reworked data-sharing agreement to replace Safe Harbour.
The European Union (EU) made the pledge during a press conference today (2 February), when it announced details of the EU-US Privacy Shield deal, ushered in to replace the invalid Safe Harbour regime. It is expected to come into force in the next three months.
Andrus Ansip, European Commission (EC) vice-president in charge of the Digital Single Market, described the data-sharing agreement as a “significant improvement” on Safe Harbour.
As part of the discussions, Ansip said the EC had received written assurances from the US government that it does not intend to use the EU-US Privacy shield to carry out “indiscriminate, mass surveillance” on European citizens.
The EU-US Privacy Shield will, unlike Safe Harbour, be subject to an annual review to ensure it remains fit for purpose in the years to come, added Věra Jourová, the European commissioner in charge of justice, consumers and gender equality.
“This result comes after tough negotiations, where we have worked day and night to protect the fundamental rights of European citizens and to ensure legal certainty for businesses,” she said.
“It will be a living mechanism that will be reviewed regularly to see if it is working well.”
Many of the features of the arrangement were previously outlined in comments made by Jourová on 1 February 2016, where she set out the challenges the European Commission had faced trying to establish a lawful replacement for Safe Harbour.
These include the creation of a “functionally independent” ombudsman, which European citizens can turn to should they believe their personal data has been used unlawfully by US authorities. As confirmed during the press conference, this role will be fulfilled by a US State Department.
The abolition of the original Safe Harbour agreement was largely prompted by the work of Austrian Max Schrems. Until his intervention, it was used to lawfully transmit the data of European citizens to the US.
However, Schrems argued the regime was no guarantee that the data of European citizens would be protected from the surveillance activities of the US government.
The European Court of Justice (ECJ) backed this assertion in October 2015, prompting European and US lawmakers to scramble for an alternative arrangement for transferring data from Europe across the Atlantic.
Around 3,000 companies used Safe Harbour to transfer European data to the US, and the economic implications of its abolishment weighed heavily on the technology sector, prompting some to voice concerns about the economic impact disrupting transatlantic data flows could have.
In this vein, Dave Grimaldi, executive vice-president of public policy for the Interactive Advertising Bureau (IAB), said the Privacy Shield arrangement should bring some much-needed assurance to companies that rely on transatlantic data transfers to do business.
“International data flows are a crucial component of the US and EU economies, and the digital advertising industry in particular. With nearly $100bn in advertising revenue between the two continents, this decision will hopefully bring much-needed legal certainty to the digital advertising industry,” he said.
“We look forward to evaluating the details of the new agreement and providing further industry input where needed.”
Privacy Shield a relief to many
With Facebook, Microsoft and Google among the companies that relied on Safe Harbour, the technology sector has been keenly awaiting news of its replacement.
Antony Walker, deputy CEO of trade association TechUK, said news of the EU-US Privacy Shield would prove a relief to many, before calling on European and US law makers demonstrate their commitment to bringing it into force.
“Businesses across Europe need reliable and affordable legal mechanisms to enable the data transfers that underpin their operations and ability to serve customers,” said Walker.
“Data protection authorities across Europe must play a constructive role in supporting this new agreement. It is essential they allow time for this agreement to work and refrain from further regulatory action on other transfer mechanisms.”
However, Phil Lee, data protection partner at European law firm Fieldfisher, cautioned the business sector against getting too excited about the prospect of Safe Harbour 2.0.
“Today’s announcement will undoubtedly be welcomed by many. But keeping in mind that this new Safe Harbour will almost certainly be challenged by civil liberties groups (and possibly even some data protection authorities) pretty much immediately, only the foolhardy would place want to place their trust in a new Safe Harbour right now. Whether legal or not, its reputation is already shot to pieces,” he added.