Privacy Shield data pact gets European approval

  • Published
Media caption,

They way the EU and US share data is changing

A revised pact governing EU-US data flows has been approved by European governments.

The Privacy Shield agreement replaces the previous accord, called Safe Harbour, that was struck down in October 2015.

Safe Harbour let US companies self-certify that they were doing enough to protect data about Europeans.

The European Court of Justice threw out Safe Harbour after leaks showed data was being spied upon.

Flawed premise

Member states of the European Commission have given "strong support" to the Privacy Shield said the EC's Justice Commissioner Vera Jourova in a statement., external

Ms Jourova said the approval paved the way for the formal adoption of the agreement early next week.

"The EU-US Privacy Shield will ensure a high level of protection for individuals and legal certainty for business," said Commissioner Jourova. "It is fundamentally different from the old Safe Harbour."

The adoption of the Privacy Shield ends months of uncertainty for many tech companies such as Google and Facebook after the European court found the Safe Harbour agreement wanting.

The agreement covers everything from personal information about employees to the detailed records of what people do online, which is often used to aid targeted advertising.

Image source, Getty Images
Image caption,

Edward Snowden's leaks about cyberspies undermined EU confidence in Safe Harbour

The Safe Harbour pact let US companies skirt tough European rules that govern how this data can be treated, by letting them generate their own reports about the steps they took to stop it being misused.

Revelations about the US National Security Agency's widespread surveillance using data which was supposedly protected by Safe Harbour, led to it being struck down.

The Privacy Shield put in place "clear limitations, safeguards and oversight mechanisms" for how data should be protected in the future, said Commissioner Jourova.

The Privacy Shield pact states that data stored in the US about EU citizens must be given "equivalent" protection by law to what it would receive if stored in the EU.

The CBI, which represents many UK businesses, said the decision would let firms "get back to business as usual".

"Ensuring UK firms can continue to seamlessly transfer data between our biggest trading partners will be an important priority for our future economic relationships post-Brexit," said Josh Hardie, deputy director general of the CBI.

The Digital Europe industry group that represents tech firms such as Google and Apple welcomed the decision.

"Our members are ready to implement the new framework and meet the compliance challenge that the strengthened provisions demand from companies," said John Higgins, Digital Europe's director general.

Earlier drafts of the Privacy Shield pact had been criticised by many European data watchdogs, who said it did not go far enough.

Digital rights group Privacy International (PI) said the revised pact had been drawn up on a "flawed premise". Instead of accepting US government assurances that data would be protected, EU negotiators should have sought to get legislation passed to guarantee privacy was not abused, said PI legal officer Tomaso Falchetta.

"It is not surprising that the new Privacy Shield remains full of holes and hence offers limited protection to personal data," he said.

It is also not clear how long the Privacy Shield will remain in force in the UK because of the referendum result, which will see the UK leave the EU. However, the UK's Information Commissioner has said the UK may have to adopt EU data protection rules to trade post-Brexit.