After months of uncertainty, businesses will once again have a simple, legal way to export the personal information of European Union citizens to the U.S. for processing from Aug. 1.
Privacy Shield, the replacement for the defunct Safe Harbor Agreement, ensures an adequate level of protection for personal data transferred from the EU to self-certified organisations in the U.S., the European Commission ruled Tuesday morning. It plans to notify the governments of the EU's 28 member states of its adequacy decision later in the day, at which point Privacy Shield will enter effect, although it will still be a few more weeks before companies can register their compliance with it.
It's 16 years since the Commission made a similar adequacy decision regarding Safe Harbor, and nine months since the Court of Justice of the European Union overturned it, saying that an agreement could only be adequate if it provided a level of privacy protection "essentially equivalent" to that of the 1995 Data Protection Directive. Among the CJEU's objections to Safe Harbor in its October 2015 ruling, it noted that "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life."
When the first draft of Privacy Shield was published in February, its vague provisions on mass surveillance were criticized from many quarters, including the Commission's own advisors, leading to fears that it would only be a matter of time before the CJEU overturned it too.
But since then the text has been improved, and now reflects the requirements set out by the CJEU, European Commissioner for Justice Vĕra Jourová said, announcing the deal in Brussels.
"Privacy Shield is fundamentally different from Safe Harbor, because we will have an annual joint review which will make it easier to solve any problems that could arise. Since releasing the first draft of Privacy Shield in February we have been able to make it even better and clearer by taking on board the recommendations of Europe's independent data protection authorities as well as the resolution of the European Parliament," she said.
Among the improvements, she said, negotiators have "clarified better when bulk collection of data may occur and what distinguishes it from mass surveillance."
U.S. Commerce Secretary Penny Pritzker, also present, made no reference to surveillance or bulk collection, preferring to focus on the positives.
"For businesses, the framework will facilitate more trade across our borders, more collaboration across the Atlantic, and more job creating investments in our communities," she said. "For consumers, the framework will ensure you have access to your favorite online services and the latest technologies, while strongly protecting your privacy."
Sign up for CIO Asia eNewsletters.