EU member states vote for new Privacy Shield

11 July 2016 |

European Union member states have voted in favour of the revised Privacy Shield between the EU and the US.

European Union (EU) member states have voted in favour of the revised Privacy Shield, the data transfer agreement between the EU and the US. It comes into force next week.

The previous incarnation of the Privacy Shield was rejected by the Article 29 Working Party of the EU data protection authorities as ‘insufficiently rigorous’.

The Privacy Shield was quickly cobbled together after the Safe Harbor agreement was ruled unlawful by the European Court of Justice in 2015. Without an alternative, companies handling EU citizens' personal data on servers based in the US would have been deemed to be illegal.

The deal will be formally adopted on 12 July. Věra Jourová, European Commissioner for justice, consumers, and gender equality and Andrus Ansip, European Commissioner for the digital single market,said in a joint statement: “The EU-US Privacy Shield will ensure a high level of protection for individuals and legal certainty for business."

They said it was: "fundamentally different" from the old Safe Harbor. "It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice." 

"For the first time, the US has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards, and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens' data."

The Privacy Shield will also protect fundamental rights, they claimed, "and provides for several accessible and affordable redress mechanisms."

Safe Harbor was neutered by the European Court of Justice, which said: “In the light of the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services (in particular the National Security Agency), the law and practice of the US do not offer sufficient protection against surveillance by the public authorities".

This judgement led to confusion over what was legal in terms of how personal data was handled.