Privacy Shield regulations to replace invalidated EU-US data transfer agreement
New law expected to be formally ratified next week but may still face legal challenges from unhappy critics.
Last October the European Court of Justice killed the 15-year Safe Harbor agreement that allowed the transfer and processing of data between servers in the US and Europe. Since that time the US and EU have been scrambling to find a framework to replace it that would provide sufficient safeguards for European citizens’ data.
The reason the European court invalidated Safe Harbor was because the Edward Snowden domestic-spying revelations suggested that US intelligence authorities would have unfettered access to data coming out of Europe. The end of Safe Harbor created the prospect of non-European companies having to maintain servers in each European country and comply with a patchwork of domestic privacy regulations.
A new transcontinental agreement, called Privacy Shield, was announced in February but was met with immediate skepticism. Privacy advocates expressed doubt that the new framework would be legal under the Schrems decision, which overturned the Safe Harbor agreement.
However, according to reports, there appears to be sufficient political support now to ratify Privacy Shield, which is expected to be formally adopted next week. Privacy critics could (and will likely) still sue in European courts to test the law.
Under Privacy Shield there are a number of new privacy safeguards for European data being processed on US servers:
- US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed
- The US has given the EU assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight
- Any European who believes their data has been misused under the new arrangement will have several redress possibilities
- There will be a dedicated new Ombudsperson role in the US State Department to address complaints from European privacy regulators on behalf of individuals.