EU okays ‘renewed’ data transfer deal, lets US firms move Europeans’ private info overseas

© Alessia Pierdomenico
The EU has accepted a new version of the so-called Privacy Shield law that would allow US companies to transfer Europeans’ private data to servers across the ocean. The EU struck down the previously-reached agreement over US surveillance concerns.

"Today member states have given their strong support to the EU-US Privacy Shield, the renewed safe framework for transatlantic data flows," Commission Vice-President Andrus Ansip and Justice Commissioner Vera Jourova announced in a statement saying that the agreement ensures “a high level of protection for individuals and legal certainty for business.”

The majority of EU members voted in support of the Privacy Shield pact with the US that had been designed to replace its predecessor, the Safe Harbor system, which the highest EU court ruled “invalid” in October 2015 following Edward Snowden’s revelations about mass US surveillance.

"It [the Privacy Shield] is fundamentally different from the old Safe Harbour: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice," Ansip and Jourova said.

However, several countries, including Austria, Slovenia, Bulgaria and Croatia abstained amid privacy concerns.

The newly-adopted agreement will come into force starting Tuesday.

The deal, which is said to be aimed at protecting European citizens’ private data, defines the rules of how the sharing of information should be handled. It gives legal ground for tech companies such as Google, Facebook and MasterCard to move Europeans’ personal data to US servers bypassing an EU ban on moving personal information out from the 28-nation bloc. The agreement covers everything from private data about employees to detailed records of what people do online.

“For the first time, the US has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens' data,” the statement said.

The Privacy Shield was first introduced and agreed upon in February, but its implementation was then delayed by European data protection regulators. They demanded more “security guarantees” while expressing concerns over “the possibility that is left in the Shield for bulk collection which if massive and indiscriminate is not acceptable.”

The new deal now grants greater guarantees to European customers and provides “accessible and affordable redress mechanisms” in case any disputes concerning US spying arise. An ombudsman will also be created within the US State Department to review complaints filed by EU citizens.

Major US and UK tech companies applauded the agreement. Among those supporting the move was Industry group DIGITALEUROPE which represents Apple, Google and IBM.

"Our members are ready to implement the new framework and meet the compliance challenge that the strengthened provisions demand from companies," said John Higgins, director general of the group.

TechUK, which represents 900 firms in the UK called Privacy Shield a “restoring a stable legal footing”.

“The coming months will see much discussion on future options for the UK’s data environment in a post-Brexit world, today’s agreement underlines the importance of data flows to transatlantic trade,”said Charlotte Holloway, the group’s associate director of policy. 

Privacy Shield, however, has also faced sharp criticism. Concerns about extensive US spying activity were raised in Europe after whistleblower Edward Snowden released a trove of controversial material on Washington’s surveillance practices.

Digital rights group Privacy International (PI) said the newly-adopted pact had been drawn up on a "flawed premise" and “remains full of holes and hence offers limited protection to personal data”.