United States and European Union officials have reached a deal that will let American companies continue to transfer data between the two regions.
“We have agreed, with our U.S. partners, [on] a new framework that will ensure the right checks and balances for our citizens,” Andrus Ansip, the European Commission official in charge of Europe’s unified digital agenda, said at a press conference Tuesday afternoon in Brussels.
The new framework, which officials are now calling the “E.U.-U.S. Privacy Shield,” replaces the 2000 “Safe Harbor” arrangement that Europe’s highest court struck down in December over concerns about U.S. mass surveillance.
That previous deal allowed companies like Facebook and Google to “self-certify” that their transatlantic data transfers met the stringent requirements of Europe’s 28 national data-protection regulators. But in its Dec. 6 ruling, the European Court of Justice declared that, because those American companies were subject to far-reaching surveillance by the NSA and other agencies, they could not credibly make those privacy guarantees.
“This is a unique step the U.S. has made in order to restore trust.”
Data privacy is considered a fundamental right in the European Union, and negotiations over a replacement deal have focused on whether the United States would offer concessions like increased oversight of intelligence agencies’ use of Europeans’ data.
Under the new deal, expected to take effect within three months, the State Department will establish an ombudsperson post to serve as a point of contact for E.U. citizens with complaints about the use of their data.
E.U. citizens will have three options for contesting use of their data. Complaints can go directly to the relevant company, which will be required to respond by a specified deadline. Citizens can also send complaints to the European Commission and the Federal Trade Commission, which will work together to “ensure that complaints from E.U. citizens are investigated and resolved.” In addition, there will be “an arbitration mechanism” to settle complaints between citizens and companies.
To be covered by the new deal, U.S. companies must “commit to robust obligations on how personal data is processed and individual rights are guaranteed.” The FTC will be able to enforce violations of those commitments.
If a national data-protection regulator refers a case to the U.S., the Department of Commerce will be given a deadline to respond to it.
The Commerce Department and the European Commission will also conduct an annual review of the deal’s mechanisms.
Věra Jourová, the E.U. justice commissioner, called the deal “a strong and safe framework for the future of transatlantic data flows.”
“If companies do not comply in practice,” she said, “they face sanctions and removal from the list” of participating companies.
Ansip said that American negotiators “clarified that they do not carry out indiscriminate mass surveillance of Europeans,” a statement that will likely prove to be controversial among privacy activists.
According to Jourová, U.S. officials gave their European counterparts “binding assurances” that U.S. government access to Europeans’ data “will be subject to clear limitations, safeguards, and oversight mechanisms.”
“This is a unique step the U.S. has made in order to restore trust,” she said.
During a conference call with reporters, a senior Commerce Department official said that the Office of the Director of National Intelligence had detailed in writing for the European Commission “exactly how those limitations and safeguard work.” But the official declined to describe those safeguards, which are sure to be a key factor in whether the deal survives judicial scrutiny.
As part of a broader attempt to harmonize U.S. and E.U. privacy protections, Congress has been considering a bill, called the Judicial Redress Act, that would give Europeans the right to challenge the U.S. government’s collection of their information from private companies in criminal investigations. The Senate was expected to soon begin fast-tracking the bill.
The new agreement is likely to be controversial with Europe’s data-protection regulators, and it will almost certainly be challenged in court over the extent and seriousness of the United States’ privacy commitments.
Max Schrems, the activist whose lawsuit against Facebook led to the ECJ ruling, tweeted that, while he was “looking forward to the final text,” the second Safe Harbor would likely “go back” to the high court.
“On a topic as important as this,” Ansip said, “we have to find common solutions.”
Update 11:30am CT, Feb. 2: Added comment from a senior Commerce Department official.
Illustration via Max Fleishman