Europe OKs ‘Privacy Shield’ data deal


Europe: Representatives of European Union member states approved the Privacy Shield framework on July 8, setting the stage for a resolution of the uncertainty that has plagued data transfers across the Atlantic. EU member states ratified a privacy agreement that will require companies and governments to treat transatlantic data with the same privacy protections afforded to data within the US or Europe.

The moves comes after Europe's high court in October ruled that an international agreement for the transfer of digital data between the European Union and the United States was invalid. At the time, the so-called Safe Harbor deal ensured that 4,000-plus European and American tech and non-tech businesses would treat data moving between countries with the same privacy protections as inside the region.

Since then, both sides have been trying to hammer out a replacement deal. They announced a plan in February, which was accepted by the EU today. According to The Guardian, it goes into effect on Tuesday. Currently, electronic privacy laws in the US are not as strong as they are in Europe, where regulators have repeatedly threatened penalties against Facebook, Google, and other tech companies for perceived privacy violations. Regulators were also concerned about surveillance in the wake of the Snowden leak.

With the new privacy shield, American authorities have promised that law enforcement and government access to users' data "will be subject to clear limitations, safeguards and oversight mechanisms," and will not involve "indiscriminate mass surveillance of European citizens' data," European Commission Vice President Andrus Ansip and Commissioner Vera Jourová said in a joint statement. "The EU-U.S. Privacy Shield will ensure a high level of protection for individuals and legal certainty for business," they said. "It is fundamentally different from the old 'Safe Harbour': it imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice."

EU citizens, for example, can file complaints if they believe their privacy has been violated. They will be handled by an office within the State Department, Reuters says, and must be addressed within 45 days. The organization representing the tech world, DigitalEurope, said it was pleased by the news. But some privacy advocates have criticized the new agreement for not doing enough to protect user data. Privacy International, a UK-based advocacy group, called it an "opaque document that will be a field day for law firms," and said that the ombudsman's position it would set up to monitor claims of privacy violations has weak enforcement power.

Citing a leaked version of the agreement, Privacy International legal officer Tomaso Falchetta wrote in a blog post that "the Privacy Shield Ombudsperson will neither confirm nor deny whether the individual has been the target of surveillance nor will the Privacy Shield Ombudsperson confirm the specific remedy that was applied."