The framework, known as the EU-US Privacy Shield, marks the first major commitment from the US not to indulge in mass surveillance of EU citizens. It also brings much needed clarity for organisations conducting transatlantic business, since an EU court ruling last October made the previous safe-harbour rule invalid.
The framework is designed to protect the fundamental rights of Europeans when their data is transferred to the US and ensure legal certainty for businesses. It has so far been approved by the US College of Commissioners and is awaiting approval by EU members, and will be reviewed annually by each party.
“We have agreed on a new strong framework on data flows with the US. Our people can be sure that their personal data is fully protected. Our businesses, especially the smallest ones, have the legal certainty they need to develop their activities across the Atlantic. We have a duty to check and we will closely monitor the new arrangement to make sure it keeps delivering,” says Andrus Ansip, VP, digital single market, EC.
The development represents a shift in power between Europe and the US. The previous agreement had focussed on providing US companies with a safe harbour for storing EU collected data in the US, while the latest agreement is more centred on protecting European citizens from their data being misused in the US. “It [the US] has gone from a corporate enabler to a citizen protector – a paradigm shift in the essence of data protection,” says Patrick Van Eecke, a partner at DLA Piper.
However, Van Eecke does not believe the agreement will bring businesses the legal comfort they were looking for. “As the new agreement will be reviewed on an annual basis, and as local data protection authorities will still have the possibility to prohibit data transfers to the US, it does not bring much needed legal clarification companies are looking for,” he says.
“It will even make them think twice before stepping into the safe harbour programme and using this as the long term solid legal basis for EU-US data transfers. Instead, they will probably have to go back to asking for individual consent from each citizen they are collecting data from – an onerous and costly process.”
Mark Thompson, head of privacy practice at KPMG, agrees that Europe appears to be trying to maintain a stronger posture against the US, but questions to what extent that will actually happen. “The Privacy Shield is an interesting one as there is an agreement in principle but we don’t have a text. I expect the text to be challenged by regulators, operators and civil liberty groups,” he says.
Thompson believes that European regulators have in the past been irritated by the hard stance of the US when requesting data from global organisations. The penalty for failing to comply with the FBI’s request for data had been extremely high in comparison to many European countries. “Regulators have not been comfortable with this, which is why you have seen such emphasis on the fine structure with the GDPR,” he adds.
