Monday 19 March 2018

Safe Harbour: New European, US data transfer pact clinched

Austrian privacy campaigner Max Schrems successfully challenged the Safe Harbour treaty (
Austrian privacy campaigner Max Schrems successfully challenged the Safe Harbour treaty (
Adrian Weckler

Adrian Weckler

The EU and US have struck a deal over data privacy aimed at protecting Europeans from US spies and defusing a political standoff that threatened transatlantic trade.

The two trading blocs have agreed to replace the struck-down ‘Safe Harbour' data treaty with a new accord, to be called EU-US Privacy Shield.

European Commissioners said today that the new agreement provides for more transparency and oversight for Europeans worried that their private information is being mishandled in the US.

The European Commission's vice president for the Digital Single Market, Andrus Ansip, said that the EU "has received detailed written guarantees from the US" about not "indiscriminately" surveilling Europeans.

Last year, the European Court Of Justice nullified the EU-US Safe Harbour data transfer treaty because it found that indiscriminate surveillance by US authorities of EU citizens' data contravened fundamental European rights.

Under the new deal, an "independent" ombudsman will be set up to deal with cases of suspected abuse by US authorities.

"This protects the fundamental human rights of Europeans and… lives up to the [principles set by the] European Court of Justice," said Vera Jourova, the European Union's Commissioner for Justice, Consumers and Gender Equality.

"It will provide a strong and safe framework for the future of transatlantic data flows."

Ms Jourova said that the new agreement could become law in three months with annual reviews to check on compliance issues.

US multinational companies in Ireland warned last week that a failure to produce a successor to the Safe Harbour treaty could result in the loss of jobs in Ireland.

The detail of the new agreement, which is being referred to as a "framework" for now, has yet to be fully unveiled. However, a European Commission statement said that the agreement would give "certainty" to companies transacting across the Atlantic.

"US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed," said the statement. "The [US] Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs [data protection authorities]."

The statement also referred to "safeguards" and "transparency obligations" on US government access.

"For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms," it said.

"These exceptions must be used only to the extent necessary and proportionate. The US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the US and European Data Protection Authorities to it."


Business Newsletter

Read the leading stories from the world of Business.

Also in Business