Under the last-minute deal, reached one day after the official deadline expired, the EU said the US had agreed to provide binding written assurances that personal information about Europeans wouldn’t be subject to bulk surveillance when it is copied on to USA servers.
Advertisement
As a result, a last gasp deal was reached this week on US-EU transatlantic data sharing, with European Commission vice president Andrus Ansip announcing that a framework agreement is now in place, “that will ensure the right checks and balances for our citizens”.
In its October decision, the European Court of Justice declared the Safe Harbor pact was invalid because it did not adequately protect consumers when their data was stored in the USA, in light of the spying revelations made by Edward Snowden, a former contractor at the U.S.’s National Security Agency. Even if they are wrong and the Privacy Shield can withstand a legal challenge, the mere existence of legal challenges to the new framework undermines the legal certainty that businesses engaged in trans-Atlantic data transfers so desperately seek.
“We have concerns, in particular with the scope of the surveillance and the remedies”, Falque-Pierrotin said, suggesting that, before the Commission’s announcement of Privacy Shield on Tuesday, the DPAs would have been inclined not to allow companies to transfer data using binding corporate rules or model contract clauses.
The United States and European Union have struck a new deal regulating cross-Atlantic data transfers, after a European court struck down a previous agreement in October.
Safe Harbour had for 15 years allowed more than 4,000 companies to avoid cumbersome European Union data transfer rules by stating that they complied with European Union data protection law.
“We don’t have all the details yet on the Privacy Shield, so over the next few months it would be prudent for companies to check back with their privacy lawyers to make sure they are doing everything they are required to do under this new arrangement”, he added via email. “In the context of the negotiations for this agreement, the United States has assured that it does not conduct mass or indiscriminate surveillance of Europeans”.
Julie Brill, commissioner of the U.S. Federal Trade Commission, offered some insight Thursday in a webcast discussion hosted by the Information Technology and Innovation Foundation (ITIF). “The European Commission may be satisfied with the US government’s assurances about how EU citizens’ data will be treated by American intelligence agencies, but that doesn’t mean EU data-protection commissioners – or European courts – will agree”.
Ms Falque-Pierrotin noted that since Schrems, transfers of data to the USA may not take place on the basis of the invalidated Safe Harbour decision.
The EU’s privacy laws are amongst the toughest in the world, and companies are not permitted to send personal data elsewhere. Cases in which USA authorities wish to access data in the name of law enforcement of national security “will be subject to clear limitations, safeguards and oversight mechanisms”. Rather pointedly, the Article 29 Working Party has stated that it still has concerns that the current U.S. legal framework does not sufficiently address these guarantees.
Advertisement
The breakdown of the main framework for providing legal cover for cross-border data transfers has companies large and small racing to find workable alternatives.
