The final agreement between the United States and the European Union to regulate the transatlantic transfer of data is now in place.
The proposal for the EU-U.S. Privacy Shield was released in February after the previous iteration of the agreement, the Safe Harbor, was struck down by the EU's highest court in 2015.
That decision resulted from a complaint filed by Austrian citizen Max Schrems in the wake of Edward Snowden's revelations about the surveillance activities of the National Security Agency. He sought an order to prohibit a social networking site from transferring his personal data to the United States. Schrems argued that the U.S. did not ensure adequate protection of his data as required by EU law because of the surveillance activities exposed by Snowden.
The Shield features several additions intended to ameliorate concerns in the EU over the handling of data in the United States, such as a promise from the U.S. government not to conduct mass surveillance of transferred data, the establishment of a cause of action for European citizens to allege violations of their privacy rights in American courts, and the creation of an ombudsperson to deal with complaints from the EU with regard to data transfer.
Critics were unimpressed with the changes from the Safe Harbor, with some governments in the EU expressing concern that the Shield still did not go far enough to protect the data of its citizens.
In response, some tweaks were made to the initial version of the deal, including a commitment that the ombudsperson will be independent from national security services as well as explicit data retention rules requiring companies to delete data that no longer meets the purpose for which it was collected.
The changes were enough to sway the members of the EU, who voted to ratify the agreement on July 8. The European Commission formally adopted the data transfer pact on July 12. Companies will be able to begin certifying their compliance on August 1 with the U.S. Department of Commerce.
To read guidance on how to join the Privacy Shield, click here.
Why it matters: While some members of the EU continue to grumble about the deal and critics caution that the Shield will not withstand judicial scrutiny (Schrems has promised to file a similar challenge), regulators and governmental entities hailed the fact that the agreement is in place. "[T]he EU-U.S. Privacy Shield will ensure a high level of protection for individuals and legal certainty for business," Andrus Ansip, the Vice President for the Digital Single Market on the European Commission and Vera Jourova, the European Commissioner for Justice, Consumers, and Gender Equality, said in a joint statement. "It is fundamentally different from the old 'Safe Harbour': It imposes clear and strong obligations on companies handling the data and makes sure those rules are followed and enforced in practice." Federal Trade Commission Chair Edith Ramirez agreed. "I welcome the European Commission's approval of the EU-U.S. Privacy Shield Framework," she said in a statement. "The FTC has a strong track record of protecting consumer privacy, and we will remain vigilant as we enforce the new framework. We will also continue to work closely with our European counterparts to provide robust privacy and data security protections for consumers in the United States and Europe."