There has been a lot riding on this divisive and complicated agreement, which is why it has taken over two and a half years for all the involved parties to iron out all the details. As of July 12th, the new framework was officially adopted and put into effect.
The EU-US Privacy Shield, as it is known and which replaces the International Safe Harbor Privacy Principles, is basically an agreement between the EU and the US to make the transfer of data for commercial reasons easier and safer.
Speaking at the time of the announcement, Andrus Ansip, vice president for the Digital Single Market on the European Commission, said that the pact will offer reassurance to EU citizens and deliver “clarity” to businesses.
"Data flows between our two continents are essential to our society and economy."
“We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible,” he said. "Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions".
There are three key principles to be aware of and we’ve digested all of the key points below.
1) Tough requirements on organizations that handle data
Even greater transparency is at the heart of much of this agreement. This principle requires US companies to adhere to “robust obligations” when it comes to processing personal data that it has imported from Europe.
The Department of Commerce in the US will be in charge of this, holding companies that have voluntarily signed up to the framework to account (it is important to note that it isn’t legally binding on other enterprises). Those that fail to satisfy the requirements under the pact face sanctions.
2) Safeguarding data by limiting US government access
Another major feature of this deal is the understanding between the EU and the US that the latter will respect the privacy and security of data that is transferred across the Atlantic from Europe.
According to the European Commission, the US government “has ruled out indiscriminate mass surveillance on personal data” that comes in from the EU. However, this reassurance has not convinced the likes of Privacy International, which has stated “there are no meaningful legal protections … any promises today can easily be undermined tomorrow”.
3) Protecting the rights of Europeans
In an increasingly globalized world, it is often difficult to know what happens “behind the scenes” of the internet - we click, we fill in forms, we press send. However, as a BBC video explains, if you use websites like Facebook, Google and iTunes, “your personal data will have been removed from your country and shipped off to the US for processing”.
Whereas before there was a lot of ambiguity about what was happening with that data, now there are clearer “redress possibilities”. Any EU citizens that feel their personal information may have been misused will, in theory, be able to resolve complaints more effectively.
So, there you have it, the EU-US Privacy Shield in a nutshell. It’s hard to assess its impact fully until it has some time behind it, so real insight will only come retrospectively (incidentally, it will not be challenged for at least a year). Nevertheless, it will be under close scrutiny over the next 12 months, with many eagle-eyed observers examining how effective, how well implemented and how secure it is.
The latter is definitely going to make or break this new agreement, as more people are conscious of the lack of visibility they have over their personal information. As an ICO survey from 2015 revealed, 85% of respondents are worried about “how their personal information is passed or sold to other organizations”. It is a big deal.
If this piece has piqued your interest, we’ve put together some recommended reading below on privacy, this new agreement and data protection. It includes expert commentary from ESET’s Stephen Cobb and David Harley:
- Data privacy and data protection: US law and legislation white paper
- Data privacy and data protection: US law and legislation
- New security measures to protect EU data flows to the US
- GDPR Day: countdown to a global privacy and security regimen?
- The data protection dustbin: Safely disposing of personal data