European Union privacy watchdogs will let a new EU-U.S. commercial data pact underpinning billions of dollars of transatlantic trade run for at least a year without any legal challenge, they said on Tuesday.
That came as a relief to businesses from Alphabet Google (GOOGL) to Microsoft (MSFT) to Apple (AAPL) who have been mired in legal uncertainty over cross-border data transfers that are crucial to modern business since an EU court ruling last year.
The previous such data transfer framework, Safe Harbor, was struck down by the EU’s top court last October on the grounds that it allowed U.S. agents too much access to Europeans’ data.
The new EU-U.S. Privacy Shield will allow companies to transfer personal data from the EU to the United States – from human resources information to individual browsing histories to hotel bookings.
Since Safe Harbor was struck down, thousands of companies were forced to switch to more cumbersome mechanisms for legally transferring Europeans’ data to the United States.
Revelations three years ago from former U.S. intelligence contractor Edward Snowden of mass U.S. surveillance practices caused political outrage in Europe and stoked mistrust of big U.S. tech companies.
The chair of the group of 28 EU data protection authorities said on Tuesday that the regulators would not launch any challenges to the new Privacy Shield until it has gone through its first annual review, expected sometime next summer.
“The first joint review will be a time in which we will make an evaluation of the Privacy Shield and also a time where additional propositions could be made (by the U.S. government),” Isabelle Falque-Pierrotin, who heads the French data protection authority, told reporters.
Falque-Pierrotin said the regulators still wanted evidence from the U.S. government that its commitment to not conduct mass and indiscriminate surveillance would be met.
The powers and independence of a new U.S. privacy ombudsperson who will deal with complaints from EU citizens about U.S. surveillance practices could also be strengthened, Falque-Pierrotin said.
“The annual review will be a vital point to determine whether the safeguards are effective and make tweaks if necessary. We have full confidence that the Privacy Shield will be a success,” said John Higgins, Director General of DIGITALEUROPE, whose members include Google, IBM and Microsoft.
Falque-Pierrotin added regulators would have to investigate any complaints from individuals about the functioning of the framework but these would be “a case by case analysis.”
The legality of the other mechanisms firms have been using in the meantime, so-called standard contractual clauses which establish privacy protections between groups and binding corporate rules will also be assessed after the first joint review of the Privacy Shield.
“If the situation is considered as OK at the first annual review on the public security side, it is going to have an impact also on the other transfer tools by reaffirming their legal robustness,” she said.
EU data protection authorities had demanded improvements to the Privacy Shield in April, forcing EU and U.S. officials back to the negotiating table to strengthen the privacy protections in the framework.
