The UK data industry should be breathing slightly more easily following a last-minute deal which will permit data transfers between Europe and the US to continue through a new agreement to replace Safe Harbour, dubbed the “EU-US Privacy Shield”.
While some may be wondering what all the fuss has been about, more than 4,000 US companies have so far transferred data using the safe harbour rules, and most UK personal data held in the cloud is based in the States.
Meanwhile the issue also affects huge tech giants, such as Google and Facebook, which use US-based operations to hold user data.
The announcement came just hours after it was claimed that the two parties were still miles apart, with the January 31st deadline already passed, sparking fears of months of uncertainty.
The original safe harbour agreement was ruled illegal in October last year by the European Court of Justice, in a case brought against Facebook by Austrian lawyer Max Schrems. He argued the Edward Snowden disclosures show there is no effective data protection regime in the US.
According to a European Commission statement, Privacy Shield “will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses”.
The rebrand to Privacy Shield is designed to prevent any association with its predecessor. The deal will offer new safeguards around access to data by public authorities and give consumers the right to take legal action against companies using their data.
It will also create an independent ombudsman role and be reviewed annually.
EU justice commissioner Věra Jourová described the deal as a “major achievement” and said a draft agreement will be drawn up in the next few weeks to finalise the political commitments made.
One data industry source said: “Data is the lifeblood of not just the marketing industry but global commerce. It’s becoming harder and harder to convince consumers that their data is safe in our hands and the Edward Snowden revelations had a major impact on that, too.
“For Privacy Shield, the devil is in the detail, but that has hardly been forthcoming. The EU needs to push forward quickly and rebuild confidence in the market.”
Snowden, for one, appears unimpressed. After news of the deal broke, he tweeted: “EU capitulates totally on #SafeHarbor. Interesting, given that they held all the cards.”
And Ashley Winton, UK head of data protection and privacy at lawyers Paul Hastings LLP, said the results of months’ worth of negotiation “appears weak”, and if adopted we are likely to see further legal challenge in the European courts.
“The European Commission still needs to make the case that the US system of privacy laws are essentially equivalent, that data subjects have real rights against disproportionate processing in the US, and that if there is disproportionate or illegal processing then citizens can have their personal data deleted and ultimately redress in an appropriate court,” he added.
Obama urged to intervene in safe harbour talks
Firms told ‘don’t panic’ over safe harbour ruling
Cameron takes charge of safe harbour backlash
New ruling halts US data transfer
US firms hit by data transfer ruling
ECJ wrecks US tech giants data plans