New rules governing transatlantic data transfers have been formally approved, months after Europe’s top court ruled against the previous arrangements amid concerns over surveillance activity by US intelligence agencies.
The EU and the US said the new Privacy Shield imposes stricter obligations on American companies, including the likes of Facebook and Apple, to safeguard the personal data of individuals, from health matters through to social media activities.
Critics argue that the new framework does not go far enough, and are concerned that the consumer protections are not sufficiently strong. They also warn that the possibility of blanket surveillance from US agencies remains.
As part of the deal, the US government has given assurances that any access on national security grounds by public authorities to personal data transferred under the new arrangements will be subject to “clear conditions, limitations, oversight and preventing generalised access”.
The two sides said the deal includes stronger monitoring and enforcement by the US department of commerce and federal trade commission, including increased cooperation with European authorities.
Under the terms of the new deal, there will be an annual joint review of the pact, while those who think their data has been misused have a route for complaint.
A new ombudsman based at the US state department will be appointed to follow up on European complaints.
At a joint launch in Brussels, the US commerce secretary Penny Pritzker said: “The approval of the Privacy Shield is a milestone for privacy at a time when the sharing of data is driving growth in every sector, from advanced manufacturing to advertising.
“For businesses, the free flow of data makes it possible for a start-up in Silicon Valley to hire programmers in the Czech Republic, or a manufacturer in Germany to collaborate with a research lab in Tennessee.”
The deal potentially brings an end to a period of uncertainty for businesses following last October’s decision by the European Court of Justice that the previous Safe Harbor pact was invalid because it did not adequately protect consumers when their data is stored in the US.
The pact, which had been used by around 4,500 companies, had allowed the easy transfer of data from the EU by having US companies promise to provide privacy protections equivalent to those in the EU.
The EU court’s ruling that the pact was invalid opened up the possibility that data privacy officers across the 28-country EU might be inundated by complaints from consumers worried about their privacy.
Markus J Beyrer, the director general of lobby group BusinessEurope, said: “The adoption of Privacy Shield will enhance legal certainty for thousands of businesses on both sides of the Atlantic, while providing an adequate level of protection for citizens’ data.
“Transatlantic data flows are fundamental to the success of the European economy, and today’s decision will support job creation across industry.”
Concerns over the privacy of data transfers had been stoked by spying revelations from Edward Snowden, a former contractor at the US National Security Agency. Snowden’s claims had prompted the complaint to the European court from Max Schrems, an Austrian law student.
Mr Schrems said the new arrangements do not go far enough, and argued that the requirements on the US authorities are not equivalent to those that exist in the EU.
“It is little more than a little upgrade to Safe Harbor,” he said.
“It is very likely to fail again … This deal is bad for users, who will not enjoy proper privacy protections, and bad for businesses, which have to deal with a legally unstable solution.”
Both Ms Pritzker and Vera Jourova, the European commissioner for justice, said they are confident that the new deal will stand up to any court challenge.