The European Commission member states have approved the EU-U.S. Privacy Shield framework for transatlantic flow and storage of data.
The legal texts of the framework still have to be formally approved, but the vote by member states paves the way for their adoption.
Once it becomes official, the shield replaces the safe harbor agreement that a European Union court invalidated last October over concerns about the U.S. being able to hold up its end of the agreement given the government surveillance revealed by the Edward Snowden leaks. The framework requires companies to provide notice of what personal information is being collected and stored, the purposes it is used for, and an "opt out" mechanism.
As part of the new shield, the U.S. has given the European Union "written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens' data," the commission emphasized in announcing the vote.
The U.S. Congress did its part back in February to provide further assurances, passing legislation, the Judicial Redress Act, that gives EU member citizens, at least those in countries considered U.S. allies, privacy rights similar to those of U.S. citizens for data stored in this country and the legal standing to seek judicial remedies here for mishandling of that data.
The framework agreement was struck Feb. 2.
"The Commission’s approval is a win for global commerce," said Lisa Sotto, head of the global privacy and cybersecurity for law firm Hunton & Williams. "The enhanced protections provided to EU data are a win for EU privacy rights. All in all, the new EU-US Privacy Shield is a coup for all stakeholders. The Safe Harbor came into being in 2000. Given the changes in technology and world events since then, an overhaul was inevitable, particularly in light of the Snowden revelations and the complete overhaul of the EU data protection regime as we move from the EU Data Protection Directive to the Regulation."
Mark MacCarthy, Software & Information Industry Association’s senior VP of public policy, issued the following statement:
“The EU-U.S. Privacy Shield provides robust consumer privacy protections while allowing for the free and legal transfer of data from Europe to the United States," said MacCarthy. "These cross-border data flows are essential for businesses of all sizes, and lead directly to jobs and economic growth on both sides of the Atlantic. Today’s approval demonstrates that EU member states are committed to both protecting their citizens’ privacy and ensuring greater economic opportunity.
“We applaud the EU leadership and member states for today’s action, and commend both the European Commission and the U.S. Government for their work to develop the Privacy Shield. We hope that this step forward will lead to 21st century data flow provisions in the Transatlantic Trade and Investment Partnership and the Trade in Services Agreement.”
But not everyone was celebrating. Some privacy advocates have long argued the shield is insufficient, some threatening to sue.
"By agreeing to the Privacy Shield, the EU has agreed to a Privexit on protecting the data of its citizens," said Jeff Chester, executive director of the Center for Digital Democracy. "The Privacy Shield is itself a deception on the EU public," he said. "So far the FTC has failed to address the explosion of data gathering in the US—led by companies like Google and Facebook and also cable and telco giants. If the US can’t protect the privacy of its own people, it certainly can not protect the EU public. US consumer and privacy groups plan to work with their EU counterparts to show that “Shield” permits massive commercial surveillance conducted by our digital data companies."