Goodbye Safe Harbor, hello Privacy Shield: that's the name given by European Union and U.S. negotiators to the deal they struck on Tuesday enabling legal transfers of personal data between the two regions.
EU-US Privacy Shield "will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses," the European Commission said in a press release announcing the agreement.
Designed to replace the Safe Harbor agreement that was struck down in October, the new deal imposes stronger obligations for U.S. companies to protect the personal data of European citizens. It also calls for stronger monitoring and enforcement by the U.S. Department of Commerce and the Federal Trade Commission, both of which will cooperate with European data-protection authorities to address any complaints by EU citizens. A dedicated new ombudsman will help oversee complaints and enquiries as well.
Finally, there will be a joint annual review focused on monitoring and ensuring that commitments are upheld.
"The EU and the United States are the closest allies," said Andrus Ansip, vice president of the EC in charge of Digital Single Market, in a press conference on Tuesday. "On a topic as important as this, we had to find common solutions. I believe this new arrangement is what Europe needs -- both our citizens and our businesses will benefit from this."
U.S. Secretary of Commerce Penny Pritzker was similarly optimistic.
"It's been a long road, but we've turned the corner and now we stand together," Pritzker said during a press call on Tuesday. "This will allow the digital economy in both the EU and the U.S. to continue to grow."
As part of the agreement, the Department of Commerce will ensure that U.S. companies publish their commitments to protect Europeans' privacy, making them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
Meanwhile, the U.S. has given the EU written assurances for the first time that data access for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred inside its borders. The annual joint review will include the issue of national security access, with participation by national intelligence experts from the U.S. and European Data Protection Authorities.
Coming up next, the EU College of Commissions has mandated Ansip and the European Commissioner for Justice, Consumers and Gender Equality, Vĕra Jourová, to prepare a draft "adequacy decision" in the coming weeks. That, in turn, could then be adopted by the College after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new ombudsman.
Sign up for CIO Asia eNewsletters.