EU and US clinch data-transfer deal to replace Safe Harbour

The EU and US have agreed a new pact to make it easy for organisations to transfer data across the Atlantic.

The agreement should head off the threat that both tech giants and smaller companies would be unable to send personal information for processing in US data centres.
It follows a court ruling last year that invalidated an earlier data transfer mechanism called Safe Harbour.
The announcement was welcomed by businesses.
However privacy groups still have concerns.

‘Day and night’

The British lobby group TechUK was quick to hail the news.
“The European Commission and US administration must now show total commitment to implementing this agreement and getting trans-Atlantic data flows back onto a secure and stable legal footing,” said its deputy chief executive Antony Walker.
“Businesses large and small across Europe need reliable and affordable legal mechanisms to enable the data transfers that underpin their operations and ability to serve customers.
“The fact that EU and US negotiators have worked day and night for several months to secure this agreement reflects how important transatlantic data flows are to the global digital economy.”
The deal coincides with a two-day meeting of EU data protection watchdogs in Brussels.
Many had predicted the regulators would block transfers that had been authorised by the earlier Safe Harbour pact as well as by other legal means, potentially causing havoc.
Not only might Facebook, Google and Apple have been restricted from sending data to the US to be used by their cloud services, but European firms might also have been unable to rely on American firms to process their payrolls and carry out other backroom tasks.
It might also have disrupted US-based travel websites from processing customers’ bookings and European’s online purchases from being completed.

New deal

The European Court of Justice ruled against Safe Harbour in October following leaks by whistleblower Edward Snowden that suggested the US security services were scrutinising foreigners’ personal data held in the US.
For the previous 15 years, thousands of US companies had been able to self-certify that they had taken the necessary steps to protect data to avoid having to seek permission for each new type of transfer.
Negotiators for the European Commission and the US State Department had already been attempting to formulate a new deal for months, but the ruling put them under pressure to conclude the talks.
“This solution is much better than the one we had in the year 2000,” commented Andrus Ansip, the European Commissioner for the digital single market.
The new agreement is called the EU-US Privacy Shield. Under its terms:

  • The US will create an ombudsman to handle complaints from EU citizens about the Americans spying on their data
  • The US Office of the Director of National Intelligence will give written commitments that Europeans’ personal data will not be subject to mass surveillance
  • The EU and US will conduct an annual review to check the new system is working properly
  • European data privacy watchdogs will work with their US counterpart, the Federal Trade Commission, to address any flagged problems
  • Companies could be prevented from making use of the deal if they are found to fail to comply with privacy safeguards

Not satisfied

The privacy campaigner Max Schrems prompted Safe Harbour’s demise when he demanded the Irish data watchdog audit Facebook to see if it was willingly sharing data with the NSA – a charge the social network denies.
He has concerns about the new deal.
“A couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance,” he wrote.
“We don’t know the exact legal structure yet, but this could amount to obviously disregarding the [ECJ’s] judgement.
“The court has clearly stated that the US has to ‘ensure’ proper protection by means of ‘domestic law or international commitments’.
“I doubt that a European can walk into a US court and claim his fundamental rights based on a letter by someone.”
A lawyer based in Silicon Valley has also raised concerns.
“Keeping in mind that this new Safe Harbour will almost certainly be challenged by civil liberties groups – and possibly even some data protection authorities – pretty much immediately, only the foolhardy would place want to place their trust in a new Safe Harbour right now,” said Phil Lee from the law firm Fieldfisher.
“Whether legal or not, its reputation is already shot to pieces.”
EU watchdogs are expected to make their views known on Wednesday.