- New `privacy shield' to replace banned safe harbor accord
- Campaigners warn measures outlined by EU face a legal fight
The U.S. and European Union reached a new deal to facilitate trans-Atlantic data transfers, in a last-minute agreement designed to safeguard privacy and protect technology giants and multinationals from being plunged into legal limbo.
The EU said the new pact -- called the EU-U.S. privacy shield -- will provide citizens with robust privacy protection and the right to judicial review. Negotiators made the breakthrough Tuesday as national regulators threatened to impose tight restrictions on how firms move information across the Atlantic.
“We have for the first time received detailed, written assurances from the United States on the safeguards and limitations applicable to U.S. surveillance programs,” Andrus Ansip, a European Commission vice-president, told reporters at the EU Parliament in Strasbourg, France. “The U.S. side has clarified that they do not carry out indiscriminate mass surveillance of Europeans.”
The two sides were forced back to the drawing board after the EU’s top court said in October a “safe-harbor” accord dating back to 2000 failed to offer safeguards to EU citizens when U.S.-based companies such as social media giant Facebook Inc. process personal data on customers, from billing information to the content of messages. The new deal seeks to address concerns that American spies had unfettered access to private data on European citizens.
After the the tragedy in Paris, some U.S. officials had hoped the EU would tone down its demands, according to people familiar with the talks. But rather than backtrack, EU Justice Commissioner Vera Jourova continued to press for better privacy protection -- arguing that the mass data collection revealed by former U.S. security operative Edward Snowden is pointless in the war against terror.
“For the first time, the U.S. has given the EU binding assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations,” Jourova said Tuesday.
Among the commitments will be the creation of a special ombudsman in the U.S. state department “who would follow up on complaints and inquiries by individuals about data access,” Ansip said.
Still, privacy campaigners, lawyers and trade groups were split over whether the new deal would be an improvement over the banned safe-harbor pact.
Snowden tweeted earlier Tuesday that the “EU capitulates totally” on safe harbor and that this was “interesting, given that they held all the cards.”
Austrian privacy activist Max Schrems, whose campaign led the EU court to topple the old safe harbor, said the same fate could befall its successor.
The draft plan would be “a nightmare for companies. This seems like absolutely no legal certainty whatsoever,” he said on Twitter ahead of the announcement.
Though citizens’ right to privacy has taken center stage in the EU court decision, the ruling affected more than 4,000 companies certified under Safe Harbor.
While using the safe harbor wasn’t the only way to transfer information legally, the clamor for a deal on the new pact intensified after national regulators threatened to take a closer look at the contract clauses that companies raced to put in place as a workaround after the October ruling.
The deal “will allow the digital economy in both the EU and the U.S. to grow, which is so critical,” U.S. Commerce Secretary Penny Pritzker said on a conference call.
Under the terms of the new deal, the two sides pledged to jointly review the new mechanism every year. The Brussels-based commission and the U.S. Department of Commerce will also monitor how the system works, together with national security experts and European data protection watchdogs.
But for companies, the yearly reviews “will even make them think twice before stepping into the Safe Harbor program,” said Patrick Van Eecke, co-chair of the privacy and security practice at DLA Piper in Brussels.
The initial “safe harbor”’ agreement, drafted in the pre-9/11 days, was designed to facilitate trade by allowing U.S. companies with activities in Europe to shift information between their sites. Companies could transfer data, provided they adhered to a list of principles designed to ensure privacy isn’t breached.
After the court ruling, the EU demanded reassurances about spies’ access to data and a pledge from U.S. authorities to follow up on complaints.
The agreement, which does not need Congressional approval, builds in part on a presidential directive issued in January 2014 regarding what information intelligence agencies can gather, Pritzker said.
“We are confident we have met the requirements of the ruling as well as the various issues that have arisen,” Pritzker said. “We structured the negotiations around the case to make sure we could address the various provisions as delineated in the opinion.”