US businesses will be able to self-certify their compliance with the EU-US Privacy Shield's privacy principles from 1 August. A system of annual re-certification will apply.
The Privacy Shield has been established as a replacement for the previous 'Safe Harbour' framework for data transfers which was invalidated by the EU's highest court last year.
EU justice commissioner Věra Jourová said: "The EU-US Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses. It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints. The new framework will restore the trust of consumers when their data is transferred across the Atlantic."
The Privacy Shield's privacy principles and accompanying documents were published by the European Commission earlier this year. At that time the Commission set out a draft 'adequacy decision' which endorsed the view that EU-US data transfers handled in line with the Privacy Shield's requirements would comply with EU data protection laws.
However, a committee of data protection authorities from across the EU called for changes to be made to the original Privacy Shield proposals. At the time the authorities said the Privacy Shield did not protect sufficiently against bulk processing of EU citizens' data by US authorities and that it was not satisfied that a new ombudsperson, to be tasked with handling complaints relating to the accessing of EU citizens' personal data by US intelligence agencies, would be independent.
In light of the concerns a revised framework was negotiated. It won approval from EU governments late last week. The Commission has now adopted a finalised 'adequacy decision' (44-page / 486KB PDF) which contains its view that businesses transferring personal data from the EU to the US in line with the Privacy Shield principles will accord with EU data protection law standards.
The Commission said that the US had provided written assurances "ruling out indiscriminate mass surveillance on data transferred under the Privacy Shield arrangement", had clarified when bulk collection of data could take place and what safeguards apply, and further guaranteed the independence of the new ombudsperson. Those commitments are set out in a series of annexes (104-page / 1.52MB PDF) to the Commission's adequacy decision.
The ability to transfer personal data outside the European Economic Area is restricted under the EU's Data Protection Directive. Only where "adequate protections" are in place, or where the destination country has been pre-approved by the European Commission as having adequate data protection, can data transfers go ahead.
Data protection law expert Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com, said that a legal challenge against the Privacy Shield is "very likely" to be brought before the courts.
Hon said: "It is very likely that the Privacy Shield will be challenged by activists or data protection authorities. If the Privacy Shield adequacy decision is challenged, the Court of Justice of the EU (CJEU) is likely to expedite the hearing given the importance of this issue. Ultimately the CJEU will have the final say here, and at this stage we can’t predict whether they would uphold the Privacy Shield decision or invalidate it, and if so on what grounds."
Max Schrems, the privacy campaigner behind the legal challenge that brought down the Safe Harbour data transfer mechanism, said the Privacy Shield is "little more than a little upgrade" to the old system and is "very likely to fail again, as soon as it reaches the CJEU".
"This deal is bad for users, which will not enjoy proper privacy protections and bad for businesses, which have to deal with a legally unstable solution," Schrems said. "The European Commission and the US government managed to make everyone miserable, when they could have used this opportunity to upgrade the protections that are crucial for consumer trust in online and cloud services."