EU and US policymakers have agreed a new data transfer framework called Privacy Shield that will replace the defunct Safe Harbour charter.
The agreement has not yet been ratified but contains several notable provisions designed to better protect data on EU citizens once it is exported to the US.
Firstly, US firms must adhere to new regulations on how data on EU citizens is collected, sorted and used, with oversight from the US Department of Commerce. This will be subject to enforcement from the Federal Trade Commission (FTC). The specifics of these requirements have not yet been finalised.
Second, any data accessed by US law enforcement agencies must be done within an agreed system of “limitations, safeguards and oversight mechanisms”.
The EU has also ruled out any mass surveillance of data transferred from the US and said that data monitoring must be “necessary and proportionate”. This will be reviewed each year by the EC and the Department of Commerce to ensure that it functions as intended.
Finally, the US will create a new ombudsman office that will investigate complaints by EU citizens on possible access by national intelligence authorities.
European data watchdogs will be able to refer citizen complaints on how their data is being used to the FTC and Department of Commerce and companies will be given set deadlines about responding to queries.
EC commissioner Vera Jourová explained that the new Privacy Shield framework will ensure that EU citizens' is adequately protected in the US.
“For the first time, the US has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms,” she said.
“Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans.”
The proposed Privacy Shield framework was welcomed by the Information Technology and Innovation Foundation (ITIF), which had urged law makers to get a decision agreed as soon as possible.
"We commend US and European negotiators for completing an agreement that avoids disrupting the transatlantic digital economy in the near term by ensuring continuity for the thousands of US and European companies providing services across the two markets,” said ITIF vice president Daniel Castro.
“Free flow of data across borders is essential to global trade and commerce, and this renewed agreement marks an important step forward for US-EU cooperation."
Others were less optimistic, however. Phil Lee, data protection partner at European law firm Fieldfisher, is dubious that the framework will survive the legal challenges it would attract.
"Today's announcement will undoubtedly be welcomed by many. But keeping in mind that this new Safe Harbour will almost certainly be challenged by civil liberties groups (and possibly even some data protection authorities) pretty much immediately, only the foolhardy would place want to place their trust in a new Safe Harbour right now. Whether legal or not, its reputation is already shot to pieces," he said.
Max Schrems, the man whose legal challenge led to the Safe Harbour framework being thrown out, also voiced his lack of confidence with the new proposals, saying that he may well challenge it once more details are known.
"Judging from the mere ‘headlines’ we know so far, I am not sure if this system will stand the test before the Court of Justice. There will clearly be people who will challenge this. Depending on the final text I may well be one of them."
Antony Walker, deputy CEO of techUK said, though, he hoped that data protection authorities would back the new agreement, given its importance to businesses in both the US and the EU.
“Businesses large and small across Europe need reliable and affordable legal mechanisms to enable the data transfers that underpin their operations and ability to serve customers,” he said.
“The fact that EU and US negotiators have worked day and night for several months to secure this agreement reflects how important transatlantic data flows are to the global digital economy.”
Applications from some member states were down more than 40 per cent
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams