After months of discussion, the European Union and United States government have agreed on the final changes to a new data protection agreement that will be called the EU-US Privacy Shield.
The agreement is designed to replace the Safe Harbour pact, an agreement between the two entities meant to facilitate the globalization of services offered by IT firms but ultimately struck down by the European Union Court of Justice in 2015 due to worries regarding substantial protection of the private information of European citizens.
A major change in the EU-US Privacy Shield is a commitment from the US government regarding the bulk collection of data sent from the European Union to the United States.
According to the United Kingdom’s Information Commissioner, a post-Brexit UK may have to adopt EU data protection rules as well if it hopes to continue trading with the EU once the split between the UK and EU is official.
So long as the new pact is approved by the European Union’s member states, it could take effect by this July.
As stated earlier, the EU-US Privacy shield will replace the Safe Harbour Act by making it easier for organizations to transfer personal data across oceans and national boundaries.
As per the EU-US Privacy shield, the US will have to establish an ombudsman to handle complaints from EU citizens regarding American security officials spying on their personal data. The US Office of the Director of National Intelligence will also have to offer written commitments promising that the Europeans’ personal data will not be subject to mass surveillance by senior officials or robotics engineers. Finally, the EU and US will conduct annual reviews in order to ensure that the new system is working properly and that the right kind of information is being protected.
How these agreements will be received by major officials and the public remains to be seen. According to the European Data Protection Supervisor last May, the Privacy Shield agreement still needs to provide “adequate protection against indiscriminate surveillance” and “obligations on oversight, transparency, redress and data protection rights.”
Amendments were made accordingly, including the addition of a written commitment from the White House that stated that the bulk collection of data sent from the EU to the US can only occur under particular preconditions and must be “as targeted and focused” as possible. Data retention rules were made more explicit, forcing companies to delete data that no longer serves the purpose for which it was collected. Finally, a specification was made that the ombudsman will be independent from national security services.
According to a spokesperson for the European Commission, “This new framework for transatlantic data flows protects the fundamental rights of Europeans and ensures legal certainty for businesses.”
A spokesperson for the Information Commissioner’s office said the following regarding Brexit:
“If the UK wants to trade with the single market on equal terms we would have to prove ‘adequacy’ – in other words, UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organizations and to consumers and citizens,” the spokesperson concluded.