IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Will the new Safe Harbour deal really protect your data?

Businesses and campaigners react to Privacy Shield, the new EU-US data transfer agreement

EU flag

The EU and US have reached a last-minute deal to ensure companies can transfer European data to American soil.

The new agreement provides guarantees that personal data from the EU will receive adequate protection when processed by US firms, and replaces a defunct deal that around 4,000 businesses relied on.

Safe Harbour was ruled invalid by the EU last October when it decided the US valued national security and law enforcement over the guarantee of privacy.

Its replacement, the EU-US Privacy Shield, was hailed by the EU as a way of resolving the issue.

European Commission vice president Andrus Ansip said: "We have agreed with our US partners a new framework that will ensure the right checks and balances for our citizens.

"We have for the first time received detailed written assurances from the US on the safeguards and limitations applicable to US surveillance programmes."

In some ways it is stronger than Safe Harbour though. Where the former agreement did not check companies were meeting their obligations to protect data, the new deal forces companies to publish their commitments, making them enforceable under US law.

The US has also given the EU written assurances that it will not carry out "indiscriminate mass surveillance" on data transferred under the scheme.

Companies will have deadlines by which they must respond to complaints from people who feel their data has been misused, while data watchdogs can refer those complaints to US authorities.

Furthermore, any accusations of spies accessing people's data will be investigated by a new Ombudsperson.

However, the new agreement has been met with mixed reaction from businesses and data protection campaigners.

TechUK, an industry trade body representing more than 800 companies, welcomed Privacy Shield.

Deputy CEO Anthony Walker said: "Today's announcement of a new deal for EU - US data transfers is extremely important. The European Commission and US Administration must now show total commitment to implementing this and getting transatlantic data flows back onto a secure and stable legal footing.

"Businesses large and small across Europe need reliable and affordable legal mechanisms to enable the data transfers that underpin their operations and ability to serve customers."

The Information Technology and Innovation Foundation (ITIF), also welcomed the agreement, and criticised the decision to revoke Safe Harbour.

Vice president Daniel Castro said: "We commend US and European negotiators for completing an agreement that avoids disrupting the transatlantic digital economy in the near term by ensuring continuity for the thousands of US and European companies providing services across the two markets."

But others are more sceptical, with one lawyer claiming Privacy Shield's reputation is already "shot to pieces".

Phil Lee, data protection partner at European law firm Fieldfisher, said: "Keeping in mind that this new Safe Harbour will almost certainly be challenged by civil liberties groups (and possibly even some data protection authorities) pretty much immediately, only the foolhardy would place want to place their trust in a new Safe Harbour right now. Whether legal or not, its reputation is already shot to pieces."

Privacy campaigner Max Schrems, whose lawsuit against Facebook led to the original Safe Harbour being ruled invalid, also spoke out against the new agreement.

He claimed that despite the US' written assurances of not spying on EU data, there have thus far been no changes to its legal system to reflect this.

"A couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance," he wrote.

"I doubt that a European can walk to a US court and claim his fundamental rights based on a letter by someone. The Commission could to be en route to issuing a round-trip to the European Court in Luxembourg and back. This would also not provide any legal certainty for businesses - at the most it would provide a couple more months to adapt."

He ended his evaluation by warning that people will challenge the new agreement, adding that he may be among them.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Home Office to collect foreign offenders' biometric data using smartwatch scheme
privacy

Home Office to collect foreign offenders' biometric data using smartwatch scheme

5 Aug 2022
UK safety tech sees another year of growth, amidst backlash
business transformation

UK safety tech sees another year of growth, amidst backlash

2 Aug 2022
Tim Hortons 'offers free coffee and donut' to app users to settle data lawsuit
privacy

Tim Hortons 'offers free coffee and donut' to app users to settle data lawsuit

1 Aug 2022
TikTok to give researchers new API for insight, greater transparency
Business operations

TikTok to give researchers new API for insight, greater transparency

28 Jul 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Electrical explosion reported at Google's Iowa data centre
data centres

Electrical explosion reported at Google's Iowa data centre

9 Aug 2022