New rules governing trans-Atlantic data transfers were formally approved Tuesday, months after Europe's top court ruled against the previous arrangements amid concerns over the surveillance activities of U.S. intelligence agencies.
The European Union and the U.S. say the new Privacy Shield imposes stricter obligations on American companies, including the likes of Facebook and Apple, to safeguard the personal data of individuals, from health matters through to social media activities.
Critics argue that the new framework doesn't go far enough, that the consumer protections are not strong enough and that the possibility of blanket surveillance from U.S. agencies remains.
As part of the deal, the U.S. government has assured that any access on national security grounds by public authorities to personal data transferred under the new arrangements will be subject to "clear conditions, limitations, oversight and preventing generalized access."
The two sides say that includes stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission including increased cooperation with European authorities.
Under the terms of the new deal, there will be an annual joint review of the pact and those who think their data has been misused has a route for complaint. And the U.S. will appoint a new official — an ombudsman based at the State Department — responsible for following up on European complaints.
"The approval of the Privacy Shield is a milestone for privacy at a time when the sharing of data is driving growth in every sector, from advanced manufacturing to advertising," U.S. Commerce Secretary Penny Pritzker said in Brussels at the launch of the data-sharing pact.
"For businesses, the free flow of data makes it possible for a startup in Silicon Valley to hire programmers in the Czech Republic, or a manufacturer in Germany to collaborate with a research lab in Tennessee," she added.
The deal potentially brings an end to a period of uncertainty for businesses following last October's decision by the European Court of Justice that the previous Safe Harbor pact was invalid because it did not adequately protect consumers when their data was stored in the U.S.
The pact, which had been used by around 4,500 companies, had allowed the easy transfer of data from the EU by having U.S. companies promise to provide privacy protections equivalent to those in the EU. The EU court's ruling that the pact was invalid opened up the possibility that data privacy officers across the 28-country EU might be inundated by complaints by consumers worried about their privacy.
"The adoption of Privacy Shield will enhance legal certainty for thousands of businesses on both sides of the Atlantic while providing an adequate level of protection for citizens' data," Markus J. Beyrer, the director general of lobby group BusinessEurope. "Trans-Atlantic data flows are fundamental to the success of the European economy and today's decision will support job creation across industry."
Concerns over the privacy of data transfers had been stoked by the spying revelations made by Edward Snowden, a former contractor at the U.S. National Security Agency. Snowden's revelations had prompted the complaint to the court from Max Schrems, an Austrian law student.
Schrems said Tuesday that the new arrangements don't go far enough and argued that the requirements on the U.S. authorities are not equivalent to those that exist in the EU.
"It is little more than a little upgrade to Safe Harbor," he said. "It is very likely to fail again ... This deal is bad for users, which will not enjoy proper privacy protections and bad for businesses, which have to deal with a legally unstable solution."
Schrems' view was echoed by Jan Philipp Albrecht, the home affairs and data protection spokesman for the Greens in the European Parliament, who said the European Commission "signed a blank cheque for the transfer of personal data of EU citizens to the U.S., without delivering equivalent data protection rights."
Both Pritzker and Vera Jourova, the European Commissioner for Justice, said they are confident that the new deal will stand up to any court challenge.
"The EU-U.S. Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for business," Jourova said. "It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints."