New transatlantic data transfer deal sealed with ‘written assurances’ of US spying limitations

© Sigtryggur Ari
The US and the EU have agreed on new rules for sharing personal data across the Atlantic that will allegedly better protect Europeans’ privacy from US intelligence agencies after the previous Safe Harbour mechanism was deemed inadequate.

“We have agreed with our US partners a new framework that will ensure the right checks and balances for our citizens,” said digital commissioner Andrus Ansip at a press conference in Strasbourg. The vital deal, called the 'Privacy Shield' was reached months after the so-called Safe Harbour agreement was annulled by the European Court of Justice (ECJ) in October last year.

The new "Privacy Shield", the EU Commission believes, abides by the ECJ requirements to ensure stronger obligations that American companies, such as Facebook and Google, protect the personal data of Europeans. The new framework is expected to be in place in three months.

“The US side has clarified that they do not carry out indiscriminate mass surveillance of Europeans,” said Ansip, claiming that the US intelligence activities underwent “substantial internal reviews.” Furthermore, the American side has provided written assurances ruling out indiscriminate mass surveillance of personal data.

“We have for the first time received detailed written assurances from the United States on the safeguards and limitations applicable to US surveillance programs,” noted Ansip.

According to justice commissioner Vera Jourova, written assurances would include guarantees from the office of the director of national intelligence in the White House.

Any access to the personal data of EU citizens under the new deal will be subject to “clear” conditions, limitations and oversight, allegedly preventing any generalized access. If a breach of personal data is believed to have taken place, Europeans will have the right to raise any inquiry or file a complaint through an Ombudsperson.

“The US will create the role of a special ombudsperson within the US State Department who would follow up complaints and inquiries by individuals on national security access upon referral by EU data protection authorities,” said Ansip.

Furthermore, US firms will be subject to deadlines to reply to complaints, while the European Data Protection Authorities (DPA) will have the right to refer cases to the Department of Commerce and the Federal Trade Commission (FTC).

“This is a unique step the US has made in order to restore trust in our transatlantic relations,” noted Jourova, stressing that Brussels would “hold the US accountable on the commitments they made.”

The last-minute deal was hammered out past the official deadline, but the US secretary of commerce Penny Pritzker called it a successful end to tough negotiations: “It's been a long road but we've turned a corner and now we stand together.”

“This new mechanism will allow the digital economy in both the EU and the US to grow, which is so critical to jobs and economic security,” noted Pritzker, according to the Euobserver.

The American Chamber of Commerce welcomed the new agreement as it means that it would stimulate and boost transatlantic investment.

“This new framework gives business the necessary confidence to continue to invest in the transatlantic marketplace. It is a step in the right direction towards rebuilding trust and confidence for citizens and business alike,” said Susan Danger, managing director of the American Chamber of Commerce's EU office, according to EurActiv. 

But despite the last minute deal, the new framework has already faced criticism from EU lawmakers.

“The assurances seem to rely exclusively on political commitment, instead of legal acts. So any change in the political constellation in the US may undo the whole thing,” said Liberal Dutch member of the European Parliament Sophie in 't Veld, adding that “legal status of these safeguards is very unclear.”

German MEP Jan Philipp Albrecht from the Green Party shared the concerns claiming that the new deal amounts to a “reheated serving of the pre-existing Safe Harbour decision.”

“The proposal foresees no legally binding improvements. Instead, it merely relies on a declaration by the US authorities on their interpretation of the legal situation regarding surveillance by US secret services, as well as the creation of an independent but powerless Ombusman, who would assess citizens' complaints,” Albrecht noted, according to EurActiv.

The work of some 4,000 internet companies which rely on personal data transfers from the EU to the US were guided by the old Safe Harbour Privacy Principles, until the framework was deemed inadequate under over Washington’s inability to offer data privacy protections to EU citizens.