EU and US adopt Privacy Shield as US spies promise snooping safeguards

The European Commission has adopted Privacy Shield, a new agreement governing data transfer across the Atlantic.

The agreement, which replaces the previous Safe Harbor agreement, was designed to address EU concerns over US government surveillance, places new restrictions on companies handling data and includes new US government assurances about how data will be used.

This will entail the US Department of Commerce conducting regular updates and reviews of companies handling data to ensure that they follow the rules. If they do not, they can face sanctions.

The US provided assurances that public authorities would only access EU citizens’ data subject to “clear limitations, safeguards and oversight mechanisms.”

This included the US ruling out indiscriminate mass surveillance.

The agreement also provides for an annual joint review mechanism to monitor the functioning of the agreement.

Also new in the agreement is the redress mechanism, which aims to protect the individual rights of citizens. If a citizen feels their data has been misused there are several dispute resolution mechanisms through companies, their national Data Protection Authority or in the last resort through an arbitration mechanism.

Last year, the European Court of Justice ruled that Safe Harbor was invalid, forcing the commission to start negotiations with the US on a renewed and safe framework on transfer of personal data.

It is required to meet the requirements identified in the court ruling, with respect to limitations and safeguards on access to personal data by the US public authorities.

The decision is of paramount importance to US companies which hold data from European customers, such as cloud providers.

Omer Tene, Vice President of Research and Education at the International Association of Privacy Professionals, said that Privacy Shield had concluded the process set off by the revelations of Edward Snowden.

He said that “the Shield, which includes commitments by both self certifying companies and the U.S. Government, will mitigate uncertainty and risk and increase trust in the global digital economy. To implement it, companies will need to train and educate a workforce on basic principles of privacy and data protection.”