EU prepares to raise Privacy Shield over data transfers to U.S.

Privacy Shield is intended to replace the Safe Harbor Agreement as a means to legalize the transfer of EU citizens' personal information to the U.S. while still respecting EU privacy laws.

A new deal is needed because the Court of Justice of the EU invalidated the Safe Harbor Agreement last October, concerned that it provided Europeans with insufficient protection from state surveillance when companies exported their personal data to the U.S. for processing.

The first draft of Privacy Shield agreement presented by the European Commission in January lacked key assurances from U.S. officials on the same matters that had concerned the CJEU about Safe Harbor.

The Article 29 Working Party, composed of national data protection authorities, remained skeptical even as the draft was amended in April, and in June the European Data Protection Supervisor (EDPS) joined the critics. Neither the working party nor the supervisor have the power to block the deal, though, as their role is merely to advise the Commission on such matters.

The European Parliament voted, with reservations, to approve Privacy Shield in May, and on Friday representatives of the EU's 28 national governments gave their assent to the deal, clearing the way for the Commission to give final approval to Privacy Shield in a so-called "adequacy decision" early next week.

The European Commissioner for Justice, Consumers and Gender Equality, V?ra Jourová, is scheduled to present the deal to Parliament's Civil Liberties, Justice and Home Affairs Committee on Monday.

The U.S. has now given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms, and has ruled out indiscriminate mass surveillance of European citizens' data, she said Friday.

Businesses have been clamoring for the deal to be approved, as many have found their activities hamstrung by the invalidation of Safe Harbor. There are other ways for businesses to transfer Europeans' personal information to the U.S. for processing.

If the transfers are between subsidiaries of the same company, they can be safeguarded by binding corporate rules defining the responsibilities of the corresponding businesses. External transfers can also be protected by model contract clauses restricting what the receiving company may do with the data. And businesses also have the option of asking people to waive their rights to European standards of privacy by consenting to the export of their personal information.

Model contract clauses could yet have their day in court, as the Irish Data Protection Commissioner has asked the Irish High Court to refer a question about their validity to the CJEU. Europe's data protection authorities have also not excluded the possibility of seeking the CJEU's verdict on Privacy Shield.