This article has been corrected.
The European Commission and the US Department of Commerce have finally hammered out a replacement to the controversial Safe Harbor data-transfer pact, the Commission announced at an unscheduled press conference in Strasbourg late today (Feb. 2). The new deal appears to contain some key differences to its predecessor.
Safe Harbor is a set of rules that have governed trans-Atlantic data transfers for the past 15 years. It allowed tech giants like Facebook and Google to export data collected in the EU back to the US, based on the belief that the United States had sufficient data privacy protections to conform to European privacy law. But Safe Harbor was ruled invalid in 2015, in the wake of revelations of mass surveillance by the US government. Officials have been racing to agree on a replacement ever since.
Expectations for a new deal were low. European and US negotiators missed a Jan. 31 deadline imposed by Europe’s national privacy regulators. When they again failed to announce a deal during a Feb. 1 update by Vera Jourova, the EU’s chief negotiator and justice commissioner, most observers wrote the deal off as dead.
The most likely outcome was thought to be an extension of the deadline, granted by the EU’s privacy regulators. Now it appears some furious behind-the-scenes work was being done to bring it to completion. Indeed, Jourova alluded to “working day and night” on the new pact at the press conference for the agreement.
This new arrangement has been ”rebranded” as the EU-US Privacy Shield.
Here are the major features of the new data-transfer arrangement:
- The US State Department will create a new ombudsman post, to follow up on complaints of possible mishandling of European user data. Authorities will be given deadlines to take action on complaints, although the commissioners did not detail the specific time limits that would be put in place.
- The Privacy Shield will be subject to annual review by the European Commission and the US Department of Commerce, allowing problems to be “fixed immediately” and not in 13 years, as was proposed earlier. The first annual review will take place in 2017, Jourova said.
- The US has agreed to “binding assurances” that law enforcement and national security measures will be subject to clear limitations, safeguards and oversight mechanisms. Written assurances have been provided by the US Director of National Intelligence. The US has ruled out indiscriminate mass surveillance of European citizens’ data, according to the official announcement.
- An “arbitration mechanism” will be available to Europeans as a “last resort” if a complaint is not resolved between a company and the relevant data protection authority, Jourova said.
- The Privacy Shield will come into effect in about three months if it gets all the necessary approvals, Jourova estimated. The US Department of Commerce will be in charge of reviewing the privacy schemes of certified companies. Firms that break the rules will face sanctions from the Federal Trade Commission and be excluded from certification.
Although a new deal has been announced, it’s far from done. Now, Jourova and the European Commission vice president Andrus Ansip have to draft an “adequacy decision.” This document, which establishes that the US indeed has sufficient privacy protections in place, has to be adopted by the EC’s College of Commissioners, in consultation with several groups, including the Article 29 Working Party.
The Article 29 Working Party, comprised of Europe’s national privacy regulators, has not yet voiced support for the new deal. Jourova said she will present the details of the Privacy Shield arrangement to them tomorrow.
It all started with Max Schrems, the Austrian law student who lodged a complaint against Facebook with the Irish data protection authority in 2013. In the wake of Edward Snowden’s disclosures of mass US government surveillance that year, Schrems argued that his Facebook data, which was routinely moved to the US under the Safe Harbor agreement, was not safe.
In October 2015, Europe’s highest court agreed with Schrems (PDF), ruling that Europeans were at risk of privacy violations if their data was exported to the US. In that ruling, the court also invalidated Safe Harbor as failing to adequately protect European user data.
Schrems says he doubts the privacy assurances provided by the US. He expects the matter to end up before the European Court of Justice again.
Sophie Veld, a Dutch member of the European Parliament, also questions the guarantees afforded under the new deal. “The assurances seem to rely exclusively on political commitment, instead of legal acts,” she said in a statement.
Veld was skeptical of some of the proposed measures. “It’s highly implausible that an ombudsman will have sufficient powers to oversee the US intelligence services,” she said.
But other Safe Harbor watchers said they thought the new arrangement went far enough. William Long, a partner at law firm Sidley Austin in London, told Quartz that the new deal’s annual joint-review mechanism was an improvement on the old framework.
Georgios Petropoulos, a visiting fellow at economics think-tank Bruegel in Brussels, told Quartz that the coming months would be the real test of the new agreement, as European and US officials dig deep into the details of implementing the proposed measures. “Given the fundamental differences between the two sides, I didn’t expect more. It is a first step, but the real negotiation, the real discussion, will start right now,” he said.
Correction (Feb. 2, 7:30 EST): A previous version of this article stated that Safe Harbor was ruled invalid by the Court of Justice of the European Union in September 2015. It was ruled invalid in October 2015.