The European Commission has just announced that it is adopting the so called EU-US Privacy Shield, a new digital agreement between the two unions.
Privacy Shield is the updated version of Safe Harbor, an agreement between the EU and the US with regards to the sharing of digital data and regulations between the two bodies. Safe Harbor, and now Privacy Shield is what allows companies like Facebook, Twitter and YouTube to operate globally, or at least in the Western world without worrying where they store data. It’s the backbone of digital data sharing, but also a contentious point for privacy and security advocates.
Safe Harbor was deemed to be invalid by the European Court of Justice back in 2015, because the EU authorities found that the US could not guarantee adequate protection for Europeans’ data. Under EU law, data transfers outside of the EU may only take place if the receiving party can guarantee “essentially equivalent” data and privacy protections as the EU. The European Court of Justice found that mass spying programs from the US essentially destroy a user’s right to privacy, a fundamental right in the EU, so Safe Harbor was deemed invalid.
Privacy Shield is supposed to address many of those issues and create a clear and legal framework of the sharing of data between EU and US companies and governments. In fact, the European Commission praises Privacy Shield, claiming it offers “clear safeguards and transparency on US government access”, “effective protection of individual rights” and other benefits.
Andrus Ansip, the EU's head for the Digital Single Market explained:
It will protect the personal data of our people and provide clarity for businesses. We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions
Unfortunately, critics and security experts are already decrying Privacy Shield as nothing more than a rebranded Safe Harbor, with no teeth and little protection for Europeans in the face of bulk data collection by US agencies. Recent legal cases, like the one where Microsoft is asking the US government to follow international law in obtaining information stored in Ireland, highlight the recent struggles of companies and privacy advocates.
Whether Privacy Shield will add to those struggles or ease them remains to be seen – the program has an annual joint review component which should force authorities to study how well the legislation has worked over its first year.