There's a deal on the successor to Safe Harbor.
The European Union and United States have struck a last-minute deal on keeping transatlantic data flowing — and it should mean tough new obligations for both American companies and intelligence services.
This really went down to the wire: An end-of-January deadline for agreeing on the successor to the struck-down Safe Harbor agreement passed with no deal, and EU privacy regulators are meeting today and tomorrow to discuss their crackdown on companies that are sending EU citizens’ data to the U.S. without legal backup.
There’s still a chance that the deal will hit some legal hurdles in the coming weeks as the precise wording is worked out, but assuming it goes ahead, here’s what it entails.
The new framework will be known as the EU-U.S. Privacy Shield. According to the European Commission (the EU’s executive body), it will do what Safe Harbor failed to do, leading to its annihilation last October by the EU’s highest court: Keep the European citizens’ personal data safe.
Companies that sign up to the Privacy Shield program (which thousands will have to do, if they want to keep servicing the half-billion people in the EU) will be subject to regular reviews of their data-processing practices. They will have to make new promises about how they handle Europeans’ data, and there will also be tightened conditions for passing on data to other companies or organizations.
Crucially, the U.S. has promised that access to Europeans’ data by American authorities will be “subject to clear limitations,” justice commissioner Vera Jourova said Tuesday afternoon. This will be backed up by written assurances from the Office of the Director of National Intelligence (ODNI) — a “unique step” for the benefit of Europeans, Jourova said.
“The new arrangement lives up to the requirements of the European Court of Justice,” Jourova said. “It will also be a living mechanism which will be reviewed continuously to check whether it functions well.”
Get Data Sheet, Fortune’s technology newsletter.
For the first time, Europeans will have ways in which they can complain about the misuse of their data in the U.S.
The first step will involve complaining to the U.S. companies handling their data. If that doesn’t provide satisfaction, they will have access to “several accessible and affordable dispute resolutions,” Jourova said. EU data protection authorities will also be able to complain to the U.S. Department of Commerce, which will then have a deadline for responding. Finally, if nothing else works, there will be an ombudsman that is “independent of the U.S. intelligence services.”
“The U.S. side has clarified that they do not carry out indiscriminate mass surveillance of Europeans,” said EU vice president Andrus Ansip. Strangely, Ansip went on to say that Safe Harbor’s inadequacy had been apparent since 2013 (the year of Edward Snowden’s NSA revelations), and that it had been impossible back in 2000, when Safe Harbor was formulated, to imagine the “possibilities for mass surveillance.”
Square those statements as you will.
“The EU and U.S. are the closest allies,” Ansip said. “On a topic as important as this, we have to find common solutions. Both our citizens and our businesses will benefit from this.”
The Europeans will hold annual joint reviews with the Department of Commerce and the Federal Trade Commission (FTC) to check that the system is working as intended, with the first review taking place in 2017.
So what happens now? The European Commission will over the “coming weeks” draft a new adequacy decision — the technical term for the document the Commission must produce to say data transfers to the U.S. are acceptable. The U.S. also has things to sign, and it will be interesting to see if there is any political pushback against the concessions being made for the benefit of Europeans.
For more on privacy and national security, watch:
Will the Privacy Shield stand up in the long term? Time will tell. If someone like Max Schrems, the Austrian law student whose complaint led to Safe Harbor’s downfall, decides to challenge the new framework, the European Court of Justice may find itself taking another hard look.
For now, it looks like the transatlantic data economy can continue (almost) as before. Though not if you ask Schrems.
“With all due respect, a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit U.S. law allowing mass surveillance,” Schrems said.
“I doubt that a European can walk to a U.S. court and claim his fundamental rights based on a letter by someone. The Commission could to be en route to issuing a round-trip to the European Court in Luxembourg and back.”
Snowden’s not very impressed, either:
This article was updated to add details as they came in.