EU-US Privacy Shield set to come into force next week

EU member states vote in favour of revised Privacy Shield

Privacy Shield, the data-transfer pact between the EU and the US, will come into force next week after member states voted in favour of the agreement, after it was rejected in April by the Article 29 Working Party of EU data protection authorities.

The Privacy Shield was hurriedly put together after the Safe Harbour agreement between the two blocs was ruled unlawful by the European Court of Justice last year. Without an alternative agreement in place, companies handling EU citizens' personal data on servers in the US would have been hampered.

The acceptance of the deal by member states was announced by the European Commission today, and will be formally adopted on 12 July.

"The EU-US Privacy Shield will ensure a high level of protection for individuals and legal certainty for business," claimed Andrus Ansip, European commissioner for digital single market, and Věra Jourová, European commissioner for justice, consumers and gender equality in a joint statement.

They claimed that it was "fundamentally different" from the old Safe Harbour. "It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice," they said.

"For the first time, the US has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens' data."

Privacy Shield will also protect fundamental rights, they claimed, "and provides for several accessible and affordable redress mechanisms".

Safe Harbour, and its successor agreement, enables businesses running payroll and human resources in the cloud, as well as social media companies, to store and process personal data across both the US and EU in compliance with EU data protection rules.

The provisions of Safe Harbour had been increasingly closely scrutinised, even before the Edward Snowden disclosures. In 2011, Microsoft UK managing director Gordon Frazier claimed that Safe Harbour did not extend to the US Patriot Act, effectively putting all Europeans' personal data stored on US servers at the disposal of the US authorities.

Last October, Safe Harbour was struck down by the European Court of Justice, which claimed that "in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services (in particular the National Security Agency), the law and practice of the US do not offer sufficient protection against surveillance by the public authorities."

That judgement led to much confusion over what might and might not be legal in terms of handling and processing personal data.