The U.S. and EU finally reached a deal governing the transatlantic transfer of personal data, officials said Wednesday, promising it would unravel the Gordian knot negotiators have been tugging at for more than two years — reassuring companies about regulation and EU citizens fearing mass surveillance, while allowing U.S. intelligence and law enforcement agencies needed access to communication flows.
The handshake agreement — written details are expected within a few weeks — replaces the 15-year old Safe Harbor arrangement, under which U.S. companies collecting EU citizens’ personal data were essentially allowed to self-certify that they were treating it as they would have to if they were subject to European regulation.
Instead, the new deal, dubbed Privacy Shield by image-conscious officials, will provide formal machinery for oversight; an ombudsman to address complaints by EU citizens against U.S. intelligence agencies; a legal mechanism for redress against law enforcement agencies; and a three-stage, cost-free framework for consumers to resolve complaints against U.S. companies that mishandle their data, Vera Jourova, EU commissioner for justice, consumers and gender equality, told a press conference in Brussels.
The deal provides “a strong and safe framework for the future of transatlantic data flows,” she said.
It came as a deadline — set by European national data privacy regulators who had threatened to start taking matters into their own hands and legal action against U.S. companies if a deal wasn’t reached by Feb. 2 — expired.
Both sides had been trying to renegotiate the agreement for more than two years, but the process was given added impetus last year when the European Court of Justice invalidated the Safe Harbor on the basis that it did not provide any protection to EU citizens from the broad Internet surveillance carried out by the National Security Agency that was revealed by mega-leaker Edward Snowden.
Max Schrems, the privacy activist who brought the case against Facebook that resulted in that ECJ ruling, reacted with skepticism to Tuesday’s news.
“With all due respect, a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance,” Schrems said in a statement.
The College of EU Commissioners agreed the deal Tuesday would end up back in front of the ECJ in Luxembourg, where Privacy Shield would fare no better than Safe Harbor, Schrems added. Commissioners were “issuing a round-trip [ticket] to Luxembourg,” he said.
Privacy advocates in the U.S. were no more complementary.
“A rights-respecting data transfer agreement between the EU and the U.S. would allow users to engage meaningfully with one another,” said Amie Stepanovich, U.S. policy manager at Internet rights group Access Now.
But officials on both sides of the Atlantic insisted that the deal was, in the words of EU Commission Vice President Andrus Ansip, “a significant improvement” over the Safe Harbor.
“Both our citizens and our businesses will benefit from this,” he concluded.
Jourova called the deal “a living agreement,” noting that it would be subject to an annual review by both governments that would include an assessment of whether U.S. law enforcement and intelligence agencies had respected the conditions of the deal.
“We will of course hold the U.S. accountable to its commitments,” she said.
For the first time, she added, the U.S. administration was prepared to issue “written, binding assurances” that the access of intelligence and law enforcement agencies to the personal data of EU citizens would be “subject to safeguards, limitations and oversight.”
She said the assurances would come from the Office of the Director of National Intelligence, which she inaccurately described as being “in the White House.”
U.S. authorities have assured EU officials “they do not carry out indiscriminate mass surveillance of Europeans,” said Ansip, referencing policy statements by the Obama administration that it would treat citizens of allied European nations as though they were Americans for the purposes of electronic surveillance and intelligence-gathering.
‘This deal signals the closeness of the U.S.-EU relationship,’ U.S. Commerce Secretary Penny Pritzker said on a media call Tuesday. ‘It demonstrates to our commitment to working together as leaders in the global economy, promoting our shared values and bridging our differences when they exist.’
An ombudsman based in the State Department would deal with EU citizens’ complaints about intelligence agencies’ misuse of data, said Ansip, “upon referral by EU data protection regulators.” Redress against law enforcement would be provided by the Judicial Redress Act (H.R. 1428), currently before the Senate. Consumers who had a complaint about the way their data had been handled could first take it up with the company, Jourova said.
If they didn’t get satisfaction there, they would have mandatory access to a free automatic dispute resolution process, run by the U.S. Federal Trade Commission and the EU’s 28 national data protection authorities.
“As a last resort, there will be an arbitration process,” she said.
Companies that broke the terms of the agreement would face escalating sanctions, up to and including “removal from the list” of those firms legally allowed to collect EU citizens’ data and transfer it to the U.S., Jourova explained.
Industry groups and legal experts that have fretted about the legal consequences of the regulatory limbo in which they were left by the knock-down of the Safe Harbor welcomed the deal.
“We are pleased that U.S. and European policymakers have resolved this issue and support the free flow of data between these two markets. We hope the new agreement signifies a line of thinking that will shape future EU policy decisions as well,” said Information Technology and Innovation Foundation Vice President Daniel Castro.
“The successful negotiation of the new Privacy Shield is a huge coup for the negotiators who were operating under a bright spotlight with many onlookers,” said Lisa Sotto, head of the global privacy and cybersecurity practice at Richmond, Virginia-based law firm Hunton & Williams. “There is no question that a number of stakeholders will be scrutinizing the deal in weeks and months to come. Still, agreement on the text of the new and improved Safe Harbor is an important political step forward.”
Jourova said she would brief EU national privacy and data protection regulators — collectively known as the Article 28 Working Group — about the technical and legal details of the agreement in Brussels Wednesday.
She said both sides would take “a few weeks to make the necessary arrangements and finalize the procedures to be put into place to implement the agreement.”