Privacy Shield - EU signs off on transatlantic data transfer comfort blanket

Shields raised! The so-called Privacy Shield replacement for Safe Harbor has been signed-off this morning by governments across the European Union, despite concerns that the new rules around data transfer will end up back before the courts.

Since the European Court of Justice, the EU's top court, struck down Safe Harbor as unsafe last October, the question of how secure the $250 billion a year of transatlantic digital business has been up in the air. The EU and US authorities had failed to produce a beefed-up Safe Harbor when the deadline ran out, leaving businesses in limbo.

When Privacy Shield was rolled out as a hurried replacement, many criticised it as being little more than lipstick on a pig to calm worried US cloud services providers. Its viability was subsequently questioned by experts on both sides of the Atlantic, including the European Commission’s own data protection working party.

Particular concerns centered on the continuing leeway it allowed for mass collection of data by US intelligence agencies. For its part, the US government says it will create an ombudsman within the State Department to field complaints from EU citizens about US spying and has ruled out “indiscriminate mass surveillance” of Europeans' data. That’s not a commitment not to gather data, but it seems to have been enough to tip the scales.

With today’s agreement from EU member governments, the Commission is now on course to adopt Privacy Shield formally on Tuesday next week.

Relief all round

The relief from interested parties is tangible.

Commission Vice-President Andrus Ansip and Justice Commissioner Vera Jourova said in a statement:

Today Member States have given their strong support to the EU-US Privacy Shield, the renewed safe framework for transatlantic data flows. This paves the way for the formal adoption of the legal texts and for getting the EU-US Privacy Shield up and running. The EU-US Privacy Shield will ensure a high level of protection for individuals and legal certainty for business. It is fundamentally different from the old ‘Safe Harbor’: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.

For the first time, the US has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data. And last but not least the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms.

During the formal adoption process, the Commission has consulted as broadly as possible taking on board the input of key stakeholders, notably the independent data protection authorities and the European Parliament. Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice. Today’s vote by the Member States is a strong sign of confidence.

Industry group DigitalEurope, which represents much of the US tech industry, including Apple , Google and IBM, is also clearly relieved that a decision has been reached. Director General John Higgins said:

We are pleased that the Privacy Shield mechanism has received broad support from Member States. While negotiations have not been easy, we congratulate the European Commission and the US Department of Commerce on the hard work over the past months aimed at restoring trust in data transfers between the EU and US.

DigitalEurope continues to stress that our members are committed to ensuring a high level of data protection when executing transatlantic data transfers. Our members are ready to implement the new framework and meet the compliance challenge that the strengthened provisions demand from companies. We hope that the Privacy Shield will ease some of the recent pressure on alternative transfer mechanisms, particularly standard contractual clauses, so that Europe can get back to focusing on how international data flows can play a part in contributing to economic growth.

Meanwhile UK tech trade association TechUK has also voiced its approval of the deal, with Charlotte Holloway, Associate Director of Policy, saying:

This is a major step forward for restoring certainty and a stable legal footing for transatlantic data flows. We look to this new deal to boost business confidence and provide a strong platform for UK scaling businesses and international companies alike. The Commission is to be applauded for their hard work to address the range of issues raised by Europe’s Data Protection Authorities.

Whilst the coming months will see much discussion on future options for the UK’s data environment in a post-Brexit world, today’s agreement underlines the importance of data flows to transatlantic trade. We urge policymakers to continue to keep front of mind that data and trade go hand in hand in today’s global economy.

My take

So everyone’s happy. Or are they?

Four member states abstained in the vote - Austria, Bulgaria, Hungary and Slovenia - reflecting presumably a political unwillingness for this matter to be drawn out any further, but equally suggesting that reservations remain. Austria is, of course, home to data privacy activist Max Schrems, whose campaigning has led to so much of what’s happened over the past year.

The rest of today will see lots of upbeat and postive statements from the tech industry and politicos on both sides of the Pond. All to the good - I completely understand the need to get the ‘it’s safe to do data transfer’ message out there for the sake of transatlantic business.

But I still don’t see Privacy Shield as the answer to anything other than a too-late-in-the-day realization by both Europe and the US that neither side was bullshitting and something serious needed to be done around this issue.

For what it’s worth, I can’t see any other future other than one in which we end up back in front the European Court of Justice before very long. Privacy Shield sounds terribly tough and robust. In reality, it’s a comfort blanket knitted out of wooly thinking.

We shall be returning to this topic all too soon.