Privacy Shield is up and running, but will the US-EU data agreement stand up to scrutiny?
After months of uncertainty, companies in the EU and the US finally have a legal framework for transferring data about their citizens, like social media profiles and payroll information, across the Atlantic.
Yesterday, Brussels formally approved Privacy Shield, a regulatory regime which will govern more than $250bn a year in trade between digital service providers, and ensures that EU consumer data is afforded the same level of protection when it reaches US company servers.
It replaces the old Safe Harbour agreement, which was overturned by the European Court of Justice (ECJ) in October last year after leaks by Edward Snowden sparked concern that US mass surveillance was able to access the data of European citizens.
Read more: What the ECJ's opinion on surveillance means
While Safe Harbour allowed US firms to self-certify they were taking sufficient steps to protect Europeans' data, companies signing up to Privacy Shield will have to delete personal data once it has served the purpose for which they initially collected it.
A new ombudsman will be also be appointed to handle complaints from Europeans and provide easy recourse to redress.
Since the ECJ ruling, tech firms like Facebook and others in the States, have not been clear on what safeguards they should implement to ensure they are handling consumer data legally, operating under EU model clauses and binding corporate rules.
However, critics say that Privacy Shield won't succeed where its predecessor failed. European privacy campaigner Max Schrems said yesterday that it is likely to go the way of Safe Harbour once it is brought before the European courts.
“The European Commission does not need the agreement of the EU data protection regulators to adopt the Privacy Shield,” says Taylor Wessing's Vinod Bange. “But without their backing, the Privacy Shield is unlikely to give any real comfort to businesses because regulators have the ability to investigate data exports irrespective of any adequacy decision by the Commission.”
Read more: Here's a game changer for unreported cybercrime
“Popular opinion is that it doesn't go far enough,” says Jason du Preez, chief executive of Privitar. “While there are massive data sets in the US, there will be the chance for Europeans to challenge.”
UK officials will be watching Privacy Shield with particular interest. As the UK leaves the European Union, a similar agreement may have to be struck to ensure data transactions to and from the bloc, given that GCHQ operates a higher level of surveillance than in other EU countries.
“Whatever legislation the UK does adopt, it will need to match up to Europe's,” says du Preez.