The U.S. and EU have published the final text of their much-vaunted new Privacy Shield deal, which is supposed to ensure Europeans have adequate data-protection rights when U.S. companies import their personal data. The deal places major new obligations on those companies, which range from tech firms to many other kinds of multinationals.
As reported on the weekend, a major new part of this agreement is that U.S. intelligence services will have to adhere to new limits and oversight mechanisms when using Europeans’ data. The lack of these safeguards is what sunk the Safe Harbor agreement, the predecessor to Privacy Shield.
Europeans will also get new ways to complain in the U.S. about their data being misused. The U.S. State Department will set up a new ombudsman — supposedly independent of the national security services — to handle complaints about intelligence-related matters.
However, companies will also now have to resolve complaints within 45 days. Europeans will also be able to go to their local data protection authorities, who will work with the Federal Trade Commission (FTC) to make sure their complaints get properly investigated and resolved.
There will be a new, free-of-charge Alternative Dispute Resolution (ADR) system in the U.S. for the benefit of people in the EU. Companies on the Privacy Shield register (which they’ll have to be, if they want to handle Europeans’ personal data) will have to update their privacy policies to explain how people can access these services. Ultimately, if none of this resolves the complaint, there will be a new Privacy Shield Panel that can take binding decisions against U.S. firms.
Get Data Sheet, Fortune’s technology newsletter.
A big sore point under Safe Harbor was the lack of the agreement’s enforcement — companies signed up to the Safe Harbor register were supposed to abide by EU-grade data protection standards, but making sure this happened was another matter entirely. Say bye-bye to the old, self-regulating system.
“The EU-U.S. Privacy Shield is a strong new framework, based on robust enforcement and monitoring, easier redress for individuals and, for the first time, written assurance from our U.S. partners on the limitations and safeguards regarding access to data by public authorities on national security grounds,” said Vera Jourová, the EU’s justice chief.
Another thing to look out for, from the perspective of U.S. companies, is tightened restrictions on forwarding Europeans’ personal data to other companies. In the tech sector in particular, where functions of services are so often outsourced to smaller specialists, this is going to require a lot more diligence on the part of those directly serving Europeans. Why? Because the companies serving the customers will remain responsible for their personal data, even when it goes to those subcontractors.
Companies on the Privacy Shield register will also have to pledge to not collect more personal information that what they need for the purposes of their service.
U.S. firms will need to self-certify themselves for the Privacy Shield register on an annual basis, and the Department of Commerce will need to monitor and actively verify that their privacy policies meet the standards in the agreement. The U.S. government has promised to be better about keeping that register up to date.
So what happens next? A committee comprising representatives of the 28 EU member states will now need to examine the legal texts and the Commission’s draft “adequacy decision” (the document that will say it’s OK to transfer personal data to the U.S.) So will the Article 29 Working Party, the body through which the EU’s many data protection authorities work together.
It is by no means a sure thing that these regulators will give their approval to Privacy Shield. And what they say matters — the court ruling that sunk Safe Harbor confirmed the independence and power of these data protection authorities, so if they think the deal stinks, they can investigate and block data transfers no matter what adequacy decisions the Commission issues.
For more on privacy and national security, watch:
Whether or not this deal passes muster largely hangs on its national security aspects, and whether the EU regulators are sufficiently impressed with the surveillance reforms that have taken place in the U.S. since Edward Snowden’s era-defining 2013 NSA revelations.
These include President Obama’s 2014 Presidential Policy Directive 28, which told the agencies to target their data collection, and the 2015 USA Freedom Act, which is also supposed to rein in bulk surveillance. The U.S. government has also agreed to an annual joint review with the EU authorities to check that it’s sticking to its promises about nixing indiscriminate surveillance on the data of Europeans.
In the meantime, U.S. companies should be hoping this deal gets the green light soon. Regulators in Germany have already started cracking down on U.S. multinationals that are still transferring Europeans’ data under the defunct Safe Harbor agreement. And – worst-case scenario – there’s still a possibility that the EU privacy regulators might reject not only this deal, but the legality of alternative data-transfer mechanisms such as “binding corporate rules” and “model clauses”.
“As eager as businesses are for a replacement mechanism to be adopted, no one is going to want to invest the time and effort involved to self-certify and comply with the new commitment if it is simply going to fall over at the first challenge,” said Paula Barrett, partner and head of privacy and information law at law firm Eversheds.
And Max Schrems, the Austrian whose complaint led the European Court of Justice to nullify Safe Harbor, pointed out the U.S.’s promises still leave the way open for bulk collection of personal data for certain purposes — something the court said was unacceptable.
“Basically the U.S. openly confirms that it violates EU fundamental rights… The Commission claims that there is no ‘bulk surveillance’ anymore, when its own documents say the exact opposite thing,” Schrems said. “This charade is so bluntly against the law and the court judgement, that it begs the question what forces push the Commission in the background. This is obviously not driven by a rational implementation of the law and the judgement.”
However, the Computer & Communications Industry Association (CCIA) claimed the deal was a win for all sides. “We applaud the EU and U.S. for agreeing strong privacy safeguards that limit government access to commercial data,” said CCIA international policy director Christian Borggreen.
The details of the final deal may have arrived, but it’s definitely not yet time to exhale.
This article was updated as comments came in.