EU and US agree on new data-sharing regulations

New rules governing transatlantic data transfers have been formally approved, months after Europe’s top court ruled against the previous arrangements amid concerns over surveillance activity by US intelligence agencies.

Wed, 13 Jul, 2016 - 01:00

The EU and the US said the new Privacy Shield imposes stricter obligations on American companies, including the likes of Facebook and Apple, to safeguard the personal data of individuals, from health matters through to social media activities.

Critics argue that the new framework does not go far enough, and are concerned that the consumer protections are not sufficiently strong. They also warn that the possibility of blanket surveillance from US agencies remains.

As part of the deal, the US government has given assurances that any access on national security grounds by public authorities to personal data transferred under the new arrangements will be subject to “clear conditions, limitations, oversight, and preventing generalised access”.

The two sides said the deal includes stronger monitoring and enforcement by the US department of commerce and federal trade commission, including increased cooperation with European authorities.

There will be an annual joint review of the pact, while those who think their data has been misused have a route for complaint.

A new ombudsman based at the US state department will be appointed to follow up on European complaints.

At a joint launch in Brussels, the US commerce secretary Penny Pritzker said: “The approval of the Privacy Shield is a milestone for privacy at a time when the sharing of data is driving growth in every sector, from advanced manufacturing to advertising.”

The deal potentially brings an end to a period of uncertainty for businesses following last October’s decision by the European Court of Justice that the previous Safe Harbor pact was invalid because it did not adequately protect consumers when their data is stored in the US.

The pact, which had been used by around 4,500 firms, had allowed the easy transfer of data from the EU by having US companies promise to provide privacy protections equivalent to those in the EU.

The EU court’s ruling that the pact was invalid opened up the possibility that data privacy officers across the EU might be inundated by complaints from consumers worried about their privacy.

Markus J Beyrer, director general of the lobby group BusinessEurope, said: “The adoption of Privacy Shield will enhance legal certainty for thousands of businesses on both sides of the Atlantic, while providing an adequate level of protection for citizens’ data.”

Concerns over the privacy of data transfers had been stoked by spying revelations from Edward Snowden, a former contractor at the US National Security Agency. Snowden’s claims had prompted the complaint to the European court from Max Schrems, an Austrian law student.

Mr Schrems said the new arrangements do not go far enough, and argued the requirements on US authorities are not equivalent to those that exist in the EU. “It is little more than a little upgrade to Safe Harbor,” he said. “It is very likely to fail again... This deal is bad for users, who will not enjoy proper privacy protections, and bad for businesses, which have to deal with a legally unstable solution.”