This article was published on February 2, 2016

Goodbye Safe Harbour, hello Privacy Shield – but what does that really mean for your data?


Goodbye Safe Harbour, hello Privacy Shield – but what does that really mean for your data? Image by: EU commission

After three months of negotiation and one missed deadline, the EU has finally come to a provisional deal with the US on new data transfer rules, now named Privacy Shield.

https://twitter.com/Ansip_EU/status/694553432569597952/photo/1

The pair had been thrashing out the new deal since the European Court of Justice ruled back in October that the existing Safe Harbor rule was invalid.

Safe Harbor used to allow tech companies like Facebook, Google and Microsoft to move user data between data centers if they could guarantee it had an “adequate level” of protection, but after Ed Snowden’s NSA spying revelations, this was struck down.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

As late as last night, Europe’s Commissioner for Justice, Consumer and Gender Equality Vera Jourova was working with the US Commerce Secretary Penny Pritzker to come to a binding decision on a post-Safe Harbor data transfer agreement.

Commissioner Jourova said the deal would be “fundamentally different to Safe Harbour” in order to withstand another legal challenge, guarantee citizens their fundamental right to protection of personal data and “ensure legal certainty for business.”

Rebrand

Privacy Shield, rebranded to prevent any association with its predecessor, is designed to offer new safeguards around access to data by public authorities and give citizens the right to take legal action against companies using their data.

It will also create an independent ombudsperson role and have an annual review procedure.

The commissioner said in a press conference today that this will take just three months to implement. She also made assurances that the rules would still be suitable when new data protection regulations come into force in 2018.

Although this appears to offer some guarantee for big tech companies like Facebook, Amazon and Google that they will still be able to move data freely and therefore not have to increase costs to the public, it still has political hurdles to clear first.

One such hurdle is the various national data protection bodies, as well legal questions from civil liberties organizations that will no doubt be raised over the protections outlined in the new rules.

It is still unclear whether legally-binding commitments have been made by the US, something many Members of the European Parliament expressed concern over in a short debate on the proposal last night.

Sophie in ‘t Veld, an MEP from the Netherlands, said: “If the Americans are serious about this then they will have to pass a law and I don’t think they are.”

She pointed out that “signatures at [the] highest political level” outlined by the commissioner would mean very little a year from now when there will be a new president in the White House – especially if that president is Donald Trump.

After the debate last night, Ed Snowden waded in with a comment that was retweeted by the original Safe Habour complainant Max Schrems.

Given the profound lack of trust between citizens and governments post-Snowden, it remains to be seen whether Privacy Shield can protect us where Safe Harbor failed.

European Commission

Get the TNW newsletter

Get the most important tech news in your inbox each week.