TheEuropean Commission on Monday released a draft of the EU-U.S. Privacy Shield agreement, which would replace the controversial Safe Harbor provisions that regulated U.S. access to the data of European residents.
The legal texts aim to finalize the reform of EU data protection rules, which apply to all companies doing business in the region, EC officials said. An umbrella agreement between the U.S. and the EU would establish high data protection standards on data transfers across the Atlantic.
“Protecting personal data is my priority both inside the EU and internationally,” said Commissioner Vera Jourova. “The EU-U.S. Privacy Shield is a strong new framework, based on robust enforcement and monitoring, easier redress for individuals, and, for the first time, written assurance from our U.S. partners on the limitations and safeguards regarding access to data by public authorities on national security grounds.”
The plan also calls for an ombudsman within the U.S. State Department as a possible redress against any allegations of privacy violations.
Complaints against companies must be resolved within 45 days, a free alternative dispute resolution process will be available, and EU members will be able to file complaints with their own national data protection authorities, the EC said.
President Obama signed the Judicial Redress Act on Feb. 24, and the commission is expected to propose the signature of the umbrella agreement.
Lack of Privacy Protections
“They tried to put 10 layers of lipstick on a pig, but I doubt the court and the DPA’s now suddenly want to cuddle with it,” said Max Schrems, who filed a lawsuit challenging the transfer of private data to Facebook’s European subsidiary in Ireland.
The agreement fails to protect against access to private data, among other shortfalls, he told the E-Commerce Times.
It allows companies to self-certify and fails to provide adequate protection for the private data of individual users, according toAccess Now.
“The flow of data might go on for now, but there remains insufficient protection for users’ private data, insufficient legal certainty for companies.” said Estelle Masse, EU policy analyst at Access Now.
The bigger news embedded in this deal is the failure to address the issue of how non-EU countries should deal with EU data, said Kapil Raina, a vice president atHyTrust.
“The entire reason the EU invalidated the previous Safe Harbor laws was the revelation that government entities may be able to in fact look at noncitizen data via international U.S. companies,” he told the E-Commerce Times.
The deal is a strong agreement that enables transatlantic commerce while safeguarding privacy for individuals, U.S. Secretary of Commerce Penny Pritzker said.
“The EU-U.S. Privacy Shield is a tremendous victory for privacy, individuals and businesses on both sides of the Atlantic,” she said. “We have spent more than two years constructing a modernized and comprehensive framework that addresses the concerns of the European Court of Justice and protects privacy.”
It underpins more than US$260 billion in digital services trade across the country and will allow U.S. and EU businesses and individuals to continue to access online services, Pritzker said.
The agreement would grant the U.S. access to data, while providing enough safeguards to the EU and offer a self-regulating mechanism at the State Department, according to theInformation Technology Industry Council.
“After our initial review,” said Josh Kallmer, senior vice president for global policy at ITIC, “it appears the two sides have achieved the objective of securing an agreement that both enhances privacy protections and provides the certainty needed to promote innovation and economic growth.”