The EU-US Privacy Shield could now be adopted by the European Commission as early as next week.
In a joint statement, EU digital commissioner Andrus Ansip and justice commissioner Vera Jourová said that the "strong support" from the Article 31 Committee for the Privacy Shield "paves the way for the formal adoption of the legal texts and for getting the EU-US Privacy Shield up and running".
The EU commissioners said the Privacy Shield is "fundamentally different from the old 'Safe Harbour'", which was a data transfers framework that was ruled invalid by the Court of Justice of the EU (CJEU) last year. They said "consumers and companies can have full confidence in the new arrangement" and that it "reflects the requirements" laid out in the CJEU's judgment.
"For the first time, the US has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens' data," Ansip and Jourová said.
They said the Privacy Shield also "protects fundamental rights and provides for several accessible and affordable redress mechanisms".
The Privacy Shield's privacy principles and accompanying documents were published by the European Commission earlier this year. At that time the Commission set out a draft 'adequacy decision' which endorsed the view that EU-US data transfers handled in line with the Privacy Shield's requirements would comply with EU data protection laws.
The ability to transfer personal data outside the European Economic Area is restricted under the EU's Data Protection Directive. Only where "adequate protections" are in place, or where the destination country has been pre-approved by the European Commission as having adequate data protection, can data transfers go ahead.
However, a committee of data protection authorities from across the EU called for changes to be made to the original Privacy Shield proposals. Ansip and Jourová said that the views of the authorities had been accounted for in the version now backed by the Article 31 Committee.
Data protection law expert Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com, said, though, that a legal challenge against the Privacy Shield is "very likely" to be brought before the courts.
Hon said: "It is very likely that the Privacy Shield, if adopted by the Commission next week as expected, will be challenged by activists or data protection authorities, but it depends on what concessions the Commission managed to get from the US – especially on mass surveillance. If the Privacy Shield adequacy decision is challenged, the CJEU is likely to expedite the hearing given the importance of this issue. Ultimately the CJEU will have the final say here, and at this stage we can’t predict whether they would uphold the Privacy Shield decision or invalidate it, and if so on what grounds."