After months of negotiations and the official deadline passing on Sunday, the United States and European Union have finally agreed to a new mechanism for transferring data across the Atlantic — but critics say the proposed new deal, which replaces the Safe Harbor agreement, could be struck down by the courts once again.
The new deal — which will be known as the EU-US Privacy Shield — was announced in a press conference on Monday by Andrus Ansip, vice president of the European Commission in charge of the digital single market, who called the new mechanism "robust" with "strong protections in place" to protect EU citizens' data.
The final agreement will take some time to draft, said Vera Jourová, the European Commission's commissioner for justice. She said the new mechanism should be in place in the next few weeks, which will give time for the U.S. to put in place the new measures it has agreed to as part of the deal. Jourová called the new deal a “strong and safe framework for the future of trans-Atlantic data flows,” adding that it will live up to the European Court of Justice ruling. "We will hold the U.S. accountable on the commitments they've made," she said.
As part of the agreement a U.S. ombudsman, independent of the intelligence agencies, will oversee European citizens' complaints about misuse of their data, while the pact will be subject to an annual review process to see if it is working as planned.
An agreement helps tech giants and thousands of other businesses that have been left in limbo since a deadline — set by Europe's data protection authorities — for a new deal passed on Sunday.
On Monday, some of the proposed measures to be included in the new deal were presented in Brussels.
They have drawn criticism from not only some EU bureaucrats but also National Security Agency whistleblower Edward Snowden and Max Schrems, whose court case led to the original Safe Harbor agreement being struck down by the European Court of Justice.
On Monday, Jourová gave an update on the negotiations to the European Parliament’s committee on civil liberties, justice and home affairs, saying: "We are close, but an additional effort is needed."
Jourová revealed on Monday night that the new arrangement, which will not be called Safe Harbor, would be ratified by "an exchange of letters" rather than written into law, adding: "We need signatures at the highest political level and publication of the commitments in the Federal Register."
Safe Harbor was an agreement between the U.S. and EU to allow companies to easily transfer customer and employee data across the Atlantic without asking for explicit permission from each person. In the wake of the Snowden revelations, the ECJ upheld Schrems' assertion that the data being sent by Facebook to the U.S. was not safe, leading to three months of intense negotiations to find a new deal.
Some in the committee raised the issue of the U.S. presidential election, with Jourová admitting that while Europe would expect continuity, if the new president didn't sign the letters then it would simply have to suspend the mechanism once again.
There were a number of sticking points during the negotiations to get a new deal ratified. One of the key aspects of any new pact will be how much access U.S. intelligence agencies have to European data. Speaking about this, the commissioner said: "Access by public authorities to personal data transferred from Europe will be limited to what is necessary and proportionate.”
Snowden, a critic of the U.S. practice of mass surveillance, responded to the proposals by saying Europe had given in. "EU capitulates totally on Safe Harbor ... interesting, given that they held all the cards," Snowden tweeted.
Schrems was similarly dismissive of the proposals.
— Max Schrems (@maxschrems) February 1, 2016
Schrems pointed out that the ECJ ruling in October specifically said that "generalized access to content of communications" by intelligence agencies violates the fundamental right to respect for privacy. On Monday, Jourová told the civil liberties committee that "generalized access ... may happen in very rare cases" under the new arrangement.
Speaking after Jourová's presentation, some members of the committee questioned the process. “It is obvious they are not there yet, and the explanations have been quite weak,” said Jan Philipp Albrecht, vice chairman of the committee, according to Politico. “They will need quite a lot of time to work this out so that it is water-tight, and for the moment I can’t see that it is.”
The new deal, if it is ratified, will be a major boost for all companies that relied on Safe Harbor, but in particular tech giants like Google, Facebook, Apple and Microsoft, whose businesses are heavily reliant on the easy flow of data around the world.
The Computer & Communications Industry Association, an nonprofit representing a cross-section of computer, communications and internet firms, said: “We welcome the agreement, which will provide strong privacy safeguards for consumers and legal certainty for the thousands of companies that depend on transatlantic data flows.”
The CCIA adds that it hopes the EU will not block the proposal. “We call on European Data Protection Authorities to endorse this new and strengthened framework and give time for Safe Harbor companies to transition. We also urge that existing commercial data transfer mechanisms remain viable.”