European and American negotiators came to an agreement Tuesday allowing thousands of U.S. technology companies to continue moving consumer data across the Atlantic, staving off for the moment a crisis of digital commerce with Silicon Valley at the center.
Struck a day after the deadline set by European regulators, the last-minute deal spared nearly 5,000 American businesses from a possible disruption of their services, with billions of dollars at stake. Dubbed the “EU-U.S. Privacy Shield,” the negotiations revolved around privacy concerns of European authorities who worried that American surveillance of data transmitted across the Atlantic might violate the rights of European citizens.
The new arrangement attempts to alleviate these apprehensions by instituting tighter obligations on American companies to protect the data of Europeans, and puts additional accountability on U.S. agencies to monitor and enforce these protections. U.S Law enforcement agencies wishing to access information held by tech companies operating in Europe “will be subject to clear conditions, limitations and oversight, preventing generalized access,” the European Commission said Tuesday.
With indiscriminate, mass-surveillance ruled out, the data privacy commitments of American businesses will be monitored by the Commerce Department. And every year, European and American officials will review the arrangement, aiming to balance privacy rights and national security interests. Any E.U. citizen who believes their data has been misused can file a complaint to data protection authorities across Europe. And a special ombudsmen within the U.S. State Department will be appointed to investigate alleged wrongdoing.
"The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies.” said Europe’s Justice Commissioner Vera Jourova.
“For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms,” she said.
On the American side, the Federal Trade Commission, the country's top consumer watchdog, will be charged with enforcing the privacy commitments pledged by U.S. businesses — how consumer data is processed and how individual privacy rights will be guaranteed. FTC Chair Edith Ramirez said tuesday that she is pleased with the agreement reached in Brussels. She described the “Privacy Shield,” which has yet to be finalized, as part of a “broader commitment to protect consumer’s information and privacy.”
The protracted and tense negotiations between European and American officials were years in the making, but began with urgency last October, when the previous transatlantic data agreement, known as Safe Harbor, was struck down by the European Court of Justice, the E.U.’s highest judicial authority.
The court invalidated Safe Harbor, which had been in place since 2005, following the revelations of Edward Snowden, and pressure from European regulators to rein in American surveillance. While the old Safe Harbor agreement required American firms to maintain high consumer data protection standards, equivalent to European ones, the high court ruled that the arrangement violated citizens’ fundamental rights to privacy and judicial protection. The new deal is meant to address these issues and to offer those thousands of data-hungry business permission to operate.
While the outline of the new deal has been set in principle, it will need the approval of the EU’s 28 member states. On Wednesday, privacy regulators from across Europe will also offer their views on the “Privacy Shield.” If it’s officially approved, the new trans-atlantic data arrangement will go into effect in the spring.
Hamza Shaban is a technology policy reporter for BuzzFeed News and is based in Washington, DC.
Contact Hamza Shaban at Hamza.Shaban@buzzfeed.com.
Got a confidential tip? Submit it here.