American technology companies with operations across the Atlantic can breathe a collective sigh of relief as officials from the European Commission and the United States agreed upon a data pact on Tuesday. The EU-U.S. Privacy Shield, a successor to the Safe Harbour agreement, created a new transatlantic data transmission framework.
While the EU and the U.S. negotiated, American tech companies were held in limbo, uncertain whether they could continue their data transfer practices, potentially putting their businesses at risk. Now, they can rest easy.
Throughout the lengthy negotiations to replace the Safe Harbour pact, two issues kept cropping up: The EU wanted stronger assurances of meaningful limits on government access to personal data and the creation of a process to allow Europeans to seek redress if they believed the U.S. government misused their personal data.
Officials had until Wednesday to form a new pact after missing their Jan. 31 deadline.
The Privacy Shield mandates U.S. companies offer stronger protection for Europeans' personal data, according to European Commission's announcement. It also requires the U.S. Department of Commerce and the Federal Trade Commission, in cooperation with European Data Protection Authorities, to monitor and enforce data privacy violations.
Every year, the authorities will revisit the agreement and evaluate its implementation to make sure everyone stays committed and in line with the pact's requirements.
The U.S. agreed that access to persona data "will be subject to clear limitations, safeguards and oversight mechanisms," said Vera Jourova, the EU's commission for justice, consumers and gender equality, said in a statement. "In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans."
Now, the 28 member states of the EU just have to approve the agreement, then both sides have to implement it. Of course, the U.S. and the EU have to iron out the legal fine print, a particularly tricky task considering the inherent challenges of building a pact between two government entities with fundamentally different legal systems.
Wait, what happened with the original Safe Harbour pact?
The 15-year-old Safe Harbor agreement, under which businesses transferred personal information of EU citizens to the U.S. for storage and processing, was ruled invalid by the EU last October. The U.S. and EU had until Jan. 31 to reach a new agreement.
When the EU struck down the pact it called the legality of many companies' data processing operations into question. European data protection authorities said if a new agreement was not reached within three months, they would start auditing companies' compliance on data transfers and would consider enforcing penalties.
Companies like Google, Facebook and Amazon suddenly were at risk of losing billions of dollars in business if government authorities did not reach a new agreement. About 4,400 companies operated under the previous data transfer pact.
The U.S. tech industry got stuck in the center of the debate when EU authorities voided the original data pact, said Matthew Starr, public advocacy director for CompTIA, a non-profit trade organization for tech professionals and organizations. "Their business (was) compromised by something that is well beyond their control."
The majority of those 4,400 companies had no backup plan should the pact fail, Starr said. Most enterprises could only sit back and hope the two parties came to an agreement.
Though authorities did agree to terms to allow companies to transfer data across the Atlantic, implementation and enforcement still poses a challenge.
"Regardless of how the pact purports to resolve issues of U.S. government access to EU personal data transferred to U.S. companies, EU privacy regulators are going to be faced with trying to figure out what the pact actually means for their data protection enforcement efforts," said Donald Aplin, Bloomberg BNA's managing editor of Privacy & Data Security News.
"The fundamental issues of limiting government access to data is (unsettled) in the U.S." and is not "easily resolved in an international context given the depth of EU concerns about privacy and surveillance," said Aplin.
But even with Europe's concerns over data privacy, they still directly benefit from the nearly unfettered transfer of data.
"The EU has a huge vested interest in ensuring that data flows continue with the U.S.," Aplin said. "Tens of thousands of EU companies depended on being able to send personal data out of Europe."