Following months of negotiations and uncertainty, the so-called Privacy Shield that regulates the flow of data between European countries and the United States will finally take effect. As of August 1, businesses will have a simple, legal means by which to export the personal information of European Union citizens to the U.S.
Approved today by the European Commission, the Privacy Shield guarantees an adequate level of protection for personal data transferred from the EU to self-certified organizations in the U.S. The agreement, which replaces the defunct Safe Harbor agreement, was announced in Brussels by European Commissioner for Justice Vera Jourova.
The commission notified the governments of the EU’s 28 member states of its approval today, putting the Privacy Shield officially into effect. Companies can register their compliance with Privacy Shield beginning August 1.
Old Agreement Overturned
The European Commission deemed the Safe Harbor agreement adequate in 2000, but the Court of Justice of the European Union overturned that agreement last fall. The commission said that such an agreement could only work if it provided a level of privacy protection that was essentially equivalent to that of the 1995 Data Protection Directive, which regulates the processing of personal data within the European Union.
“Legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life,” according to the EU court.
Early drafts of the Privacy Shield were criticized because many people, including the commission’s own advisors, felt its provisions on mass surveillance were too vague. That led to concerns that the new agreement would be overturned in court, but subsequent revisions suggested by the EU court satisfied the parties involved.
Collection vs. Surveillance
The Privacy Shield differs from Safe Harbor in that it offers an annual joint review that aims to make it easier to solve problems as they come along, and also takes into account recommendations from independent European data protection authorities, according to Jourova. For instance, one improvement that was negotiated better clarified when bulk collection of data may occur and what distinguishes it from mass surveillance.
U.S. Commerce Secretary Penny Pritzker said that for businesses, the new data flow framework will “facilitate more trade across our borders, more collaboration across the Atlantic, and more job creating investments in our communities. For consumers, the framework will ensure you have access to your favorite online services and the latest technologies, while strongly protecting your privacy.”
However, not everyone is on board with the new data agreement, especially advocates for digital privacy, who have argued that bulk collection and mass surveillance could too easily be interpreted as synonymous. The Article 29 Working Party, which is made up of the EU’s national data protection authorities, said that it is analyzing the final texts of the Privacy Shield and will meet later this month to draft a response.