Europe’s new EU-US data flow deal clears final vote

The EU-US Privacy Shield, the cumbersomely christened replacement for the now defunct Safe Harbor transatlantic data transfer agreement, is rapidly approaching adoption, with Europe’s Member States today agreeing to support the new data flow deal.

Whether it will prove as long lived as its predecessor remains to be seen, however.

In the meanwhile businesses have had to scramble to fall back on alternative mechanisms, after the certainty of the Safe Harbor self-certification data transfer regime evaporated last year. Doubts about the legality of some of these alternatives persist.

The European Commission said the support of the Member States paves the way for the formal adoption of the Privacy Shield text. It is expected to say more on Monday, when it will face questions about the Shield from the Civil Liberties, Justice and Home Affairs committee.

But now that it has the Member States support there’s no more votes to prevent adoption of the decision, so it’s clearly aiming to have the Shield up and running ASAP.

“Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice. Today’s vote by the Member States is a strong sign of confidence,” the EC said in a statement after the vote.

Safe Harbor simplified transatlantic data flow administration for thousands of businesses over a 15 year period, but was struck down by Europe’s top court in October 2015 following a legal challenge focused on the US government’s mass surveillance programs. Judges concluded that the latter programs were incompatibility with European fundamental data protection rights.

After that decision the EC stepped up efforts to negotiate a new deal for data transfers with US counterparts — which resulted in the EU-US Privacy Shield deal being announced with much fanfare this February.

However the new deal quickly attracted critics, including the body that represents the heads of Member States’ data protection authorities, the Article 29 WP, which in April urged the EC to keep working on the draft text — calling for more clarity, and expressing concerns that data protection principles fall short of European standards, and that redress mechanisms for European citizens are too complex.

The group also said it is worried about the continued potential for European citizens’ data to be harvested in bulk via US mass surveillance programs — questioning the independence of an ombudsperson who would be appointed in the US to assess data-related complaints from European citizens.

The body does not have a binding vote on the Privacy Shield but will be meeting again on July 25 to analyze whether the final text satisfies all their concerns, and to determine what it needs to do at an operational level with the new deal in place.

The European Parliament has also previously expressed concerns about the robustness of the Privacy Shield.

Despite its critics, the Commission continues pressing ahead, asserting in a statement today that the Privacy Shield is “fundamentally different” to the old Safe Harbor regime.

The statement by Vice-President Ansip and Commissioner Jourová goes on to add that the Privacy Shield “imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice”.

“For the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data. And last but not least the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms,” they continue.

Critics aren’t so sure though. And it seems highly likely the Privacy Shield will face legal challenge in future.

A spokeswoman for the Article WP 29 group told TechCrunch: “The main concern for everyone with the Shield is the need of robustness to avoid re-opening a period of uncertainty for companies, citizens and data protection authorities. It is already nine months since everything stopped.”

“Let’s see what personalities such as [privacy campaigner who brought the legal challenge against Safe Harbor] Max Schrems or [MEP Jan Philipp] Albrecht for instance will say and do,” she added.

Four EU countries abstained in today’s vote on the Privacy Shield: Schrems’ home country of Austria, along with Bulgaria, Croatia and Slovenia.