Legal details on incoming regulations governing the flow of data between the EU and the US were published by the European Commission today, although experts are warning the new framework could be tougher to comply with than its predecessor and may not entirely clear up uncertainty for businesses.
The EU-US Privacy Shield, which is replacing the Safe Harbour rules, will effectively require US companies to apply the same standard of data protection applicable in the EU to information received from the region.
The US has also given the EU written assurance that access by authorities for public security purposes will be subject to clear limitations and safeguards.
"Now we start turning the EU-US Privacy Shield into reality," said Andrus Ansip, the European Commission's vice president for the digital single market. "Both sides of the Atlantic work to ensure that the personal data of citizens will be fully protected and that we are fit for the opportunities of the digital age."
Read more: What the ECJ's opinion on surveillance means
Commenting on today's announcement, Ashley Winton, partner and UK head of data protection and privacy at law firm Paul Hastings and chairman of the UK Data Protection Forum, pointed out that, not only is the new Privacy Shield accepted as holding businesses to a much higher standard than under Safe Harbour, many organisations have been left in a position of uncertainty thanks to the length of time it has taken to draw up the new rules.
"The introduction of the Privacy Shield will be warmly welcomed by businesses on both sides of the Atlantic, but will not put an end to the uncertainty surrounding European and US data transfers," said Winton. "It is not yet known whether or not the data protection regulators in the UK, and each individual EU jurisdiction, will support the new mechanism or whether new legal challenges will arise."
Meanwhile, Phil Lee, partner at Fieldfisher, remarked: "Like Safe Harbour, the Privacy Shield relies on companies self-certifying their compliance. That's sure to be controversial – Safe Harbour didn't have a good track record of self-certified companies complying with the commitments they made."
The original Safe Harbour code was deemed invalid in a ruling by the Court of Justice of the European Union, after Edward Snowden sounded the alarm over how US intelligence services were using data for surveillance.