EU and US Reach New Data-Sharing Agreement

The European Union and the United States struck a deal Tuesday over data-sharing that will allow the sending people’s information across the Atlantic.

The sides had been trying to forge an agreement since October, when Europe’s top court struck down the previous pact – known as Safe Harbor – amid concerns that Europeans’ personal data stored by companies in the U.S. might be exposed to spying by U.S. intelligence agencies.

The new deal, once put in place, potentially brings an end to a period of uncertainty that had raised the prospect of legal challenges by individuals across the 28-country EU worried about privacy.

“Our people can be sure that their personal data is fully protected,” said Andrus Ansip, the European Commissioner responsible for the digital single market. “Our businesses, especially the smallest ones, have the legal certainty they need to develop their activities across the Atlantic.”

Ansip said the new framework, which will be known as EU-US Privacy Shield, will ensure the “right checks and balances” for European citizens and added that it “offers significant improvements” to the previous deal, which had been struck in the early days of the Internet at the turn of the century.

“This solution is much better than the one we had in the year 2000,” he said.

Under the new deal, there will be an annual joint review of the data-sharing pact, with the first expected sometime next year. The U.S. has also promised to appoint a new official – a so-called ombudsman based at the State Department – responsible for following up on complaints upon referral from EU data protection officers.

“It’s Safe Harbor with teeth,” said Dyann Heward-Mills, Head of Data Protection at London-based legal firm Baker & McKenzie. “I think this is good for business certainty and consumer trust.”

In its October decision, the European Court of Justice declared the Safe Harbor pact was invalid because it did not adequately protect consumers where their data was stored in the U.S., in light of the spying revelations made by Edward Snowden, a former contractor at the U.S.’s National Security Agency. Snowden’s revelations had prompted the complaint to the court from an Austrian law student, Max Schrems.

The pact, which had been used by around 4,500 companies, had allowed the easy transfer of data from the EU by having U.S. companies promise to provide privacy protections equivalent to those in the EU. The EU court’s ruling that the pact was invalid opened up the possibility that data privacy officers across the EU might be inundated by complaints by consumers worried about their privacy.

Vera Jourova, the European Commissioner for Justice, said the deal is a landmark as for the first time ever the U.S. has given the EU “binding assurances” that the access of public authorities for national security purposes “will be subject to clear limitations, safeguards and oversight mechanisms.”

Also for the first time, she said EU citizens will benefit from “redress mechanisms” in this area.

“The U.S. has assured that it does not conduct mass or indiscriminate surveillance of Europeans,” she said.

Jourova added that she’s confident that the new arrangements will withstand any future court challenges as the discussions used the court ruling to help “in the formulation of the new structure.”

She estimated it could take up to three months to make the deal binding, while U.S. Secretary of Commerce Penny Pritzker said she expected it to be in effect in a matter of weeks. Pritzker said “it’s been a long road but we’ve turned the corner.”

Industry groups heralded the new deal, which they called critical because of the role cross-border data flows play in the modern economy.

“We welcome the agreement, which will provide strong privacy safeguards for consumers and legal certainty for the thousands of companies that depend on trans-Atlantic data flows,” said Christian Borggreen, international policy director at the U.S.-based Computer & Communications Industry Association.

Others were a bit more cautious.

Sophie in’t Veld, spokesperson for data protection for the ALDE alliance of liberals in the European Parliament, said a legal appraisal of the safeguards offered by the U.S. is needed.

“It is highly doubtful that they offer meaningful protection to European citizens, or if they meet the standards set by the European Court of Justice,” she said.

She noted that the assurances seem to rely exclusively on political commitment, instead of legal acts so “any change in the political constellation in the U.S. may undo the whole thing.”