Safe Harbour 2.0: EU And US Reach New Transatlantic Data Sharing Deal
EU happy with new Safe Harbour data sharing framework after US provides written assurances protecting against mass surveillance
The European Commission (EC) and the US have agreed a new transatlantic data sharing agreement to replace the previous Safe Harbour legislation ruled invalid by a European court on 6 October last year.
European negotiators are satisfied that The ‘EU-US Privacy Shield’ provides additional safeguards for European citizens’ personal data and also establishes restrictions and oversight mechanisms for US law enforcement and national security agencies wanting to access any information.
For the first time, the US has given written assurances that such access will be subject to clear limitations, safeguards and oversight mechanisms, and the government has ruled out mass surveillance. The EC and US Department of Commerce will hold an annual review, with national intelligence experts and European data protection officials also invited.
Surveillance safeguards
The new agreement allows European citizens to make a complaint if they feel their data is being misused, either by companies handling the information or national intelligence agencies. American firms must commit to certain obligations that protect individual rights and these are enforceable under US law.
“The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies,” said Vera Jourova, European Commissioner for Justice, Consumers and Gender Equality.
“For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans.”
EU data protection laws dictate that EU citizen’s personal information cannot be shared with countries deemed to have less than stringent privacy regulations, such as the US, but Safe Harbour allowed some data to circumvent these restrictions to be transmitted across the Atlantic.
More than 4,000 companies, including More than 4,000 companies, including tech giants Amazon, Facebook and Google, were reliant on the previous legislation, which had been in place for 15 years. But concerns about US state surveillance prompted a renegotiation of the agreement before its invalidation.
Business certainty
Negotiators missed a deadline of 1 February to reach a new agreement, leading to fears that national data protection authorities might start to restrict the flow of data. The scope of a role of the proposed ombudsman, specifically its power to rule on surveillance issues, was believed to be the sticking point.
The suspension of Safe Harbour caused a great deal of anxiety for many firms, especially since they could potentially face legal action over the matter. However the agreement of replacement legislation has been welcomed by the UK technology industry.
“Today’s announcement of a new deal for EU –US data transfers is extremely important,” commented Anthony Walker, deputy CEO of TechUK. “The European Commission and US Administration must now show total commitment to implementing this agreement (the EU-US Privacy Shield) and getting trans-Atlantic data flows back onto a secure and stable legal footing.
“Businesses large and small across Europe need reliable and affordable legal mechanisms to enable the data transfers that underpin their operations and ability to serve customers. The fact that EU and US negotiators have worked day and night for several months to secure this agreement reflects how important transatlantic data flows are to the global digital economy.
“Data Protection Authorities across Europe must play a constructive role in supporting this new agreement. It is essential that they allow time for this agreement to work and refrain from further regulatory action on other transfer mechanisms.”
What do you know about privacy?