No challenge to ‘data pact’
Monitors nod
BRUSSELS, July 26, (Agencies): European Union privacy watchdogs will let a new EU-US commercial data pact underpinning billions of dollars of transatlantic trade run for at least a year without any legal challenge, they said on Tuesday.
That came as a relief to businesses from Alphabet Inc’s Google to Microsoft to Apple who have been mired in legal uncertainty over cross-border data transfers that are crucial to modern business since an EU court ruling last year.
The previous such data transfer framework, Safe Harbour, was struck down by the EU’s top court last October on the grounds that it allowed US agents too much access to Europeans’ data.
The new EU-US Privacy Shield will allow companies to transfer personal data from the EU to the United States — from human resources information to individual browsing histories to hotel bookings.
Since Safe Harbour was struck down, thousands of companies were forced to switch to more cumbersome mechanisms for legally transferring Europeans’ data to the United States.
Revelations three years ago from former US intelligence contractor Edward Snowden of mass US surveillance practices caused political outrage in Europe and stoked mistrust of big US tech companies.
Protection
The chair of the group of 28 EU data protection authorities said on Tuesday that the regulators would not launch any challenges to the new Privacy Shield until it has gone through its first annual review, expected sometime next summer.
“The first joint review will be a time in which we will make an evaluation of the Privacy Shield and also a time where additional propositions could be made (by the US government),” Isabelle falquepierrotin, who heads the French data protection authority, told reporters.
Falque-Pierrotin said the regulators still wanted evidence from the US government that its commitment to not conduct mass and indiscriminate surveillance would be met.
The powers and independence of a new US privacy ombudsperson who will deal with complaints from EU citizens about US surveillance practices could also be strengthened, Falque-Pierrotin said.
“The annual review will be a vital point to determine whether the safeguards are effective and make tweaks if necessary. We have full confidence that the Privacy Shield will be a success,” said John Higgins, Director General of DIGITALEUROPE, whose members include Google, IBM and Microsoft.
Regulators
Falque-Pierrotin added regulators would have to investigate any complaints from individuals about the functioning of the framework but these would be “a case by case analysis.”
The legality of the other mechanisms firms have been using in the meantime, so-called standard contractual clauses which establish privacy protections between groups and binding corporate rules will also be assessed after the first joint review of the Privacy Shield.
“If the situation is considered as OK at the first annual review on the public security side, it is going to have an impact also on the other transfer tools by reaffirming their legal robustness,” she said.
EU data protection authorities had demanded improvements to the Privacy Shield in April, forcing EU and US officials back to the negotiating table to strengthen the privacy protections in the framework.
EU and US officials say the Privacy Shield system lays down tough rules to prevent US intelligence agencies accessing European data, with companies facing penalties if they do not meet EU standards of protection.
The European Court of Justice threw out the earlier “Safe Harbour” arrangement after Austrian activist Max Schrems sued Facebook in Ireland, citing US snooping practices exposed by former US intelligence contractor Edward Snowden.
Companies wanting to transfer data from Europe to the United States must now “self-certify” as being compliant with the new deal with the US government from Aug 1, the EU said.
If they fail to do this, they can face fines and removal from the list.
Top US companies including Facebook, Google and Microsoft in particular have been eager to end the legal void so as to protect massive data transfers from their European subsidiaries to their headquarters in the United States.