EU's Privacy Shield data transfer framework officially adopted today

Business as usual for organisations that shuttle data between the EU and the US

The European Commission has officially adopted the Privacy Shield data transfer agreement between the EU and US, just days after member states voted in favour of the new regulations. Privacy Shield replaces the Safe Harbour Agreement, which was ruled unlawful by the European Court of Justice (ECJ) in October.

Andrus Ansip, European Commission vice president for the Digital Single Market, claimed that the approval will bring clarity to businesses moving data between the two regions. "We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible," he said.

"Data flows between our two continents are essential to our society and economy and we now have a robust framework ensuring these transfers take place in the best and safest conditions."

Privacy Shield contains mechanisms designed to ensure that data on EU citizens is protected under the Human Rights Act when stored in the US, effectively prohibiting its use for mass surveillance on citizens.

This will see the US Department of Commerce conduct regular updates and reviews of participating companies to see that the rules are being followed.

The US government also has to provide assurances to the EU that access to data is done with clear limitations, safeguards and oversight, and that there are redress mechanisms for unfairly targeted citizens.

The framework will be reviewed once a year to ensure that it acts as required and that any necessary changes and amendments can be made.

However, despite these provisions, some remain unconvinced by the framework. The Article 29 Working Party of EU data protection authorities said that it is insufficiently rigorous.

Another to speak out against the framework is Max Schrems, whose lawsuit against Facebook led to the demise of Safe Harbour. He suggested that a legal challenge against Privacy Shield would have the same outcome.

"Privacy Shield is the product of pressure by the US and the IT industry, not of rational or reasonable considerations. It is little more than an upgrade to Safe Harbour, but not a new deal," he said.

"It is very likely to fail again as soon as it reaches the ECJ. This deal is bad for users, who will not enjoy proper privacy protections, and bad for businesses which have to deal with a legally unstable solution.

"The European Commission and the US government managed to make everyone miserable, when they could have used this opportunity to upgrade the protections that are crucial for consumer trust in online and cloud services."

Privacy Shield was hurriedly put together after the Safe Harbour agreement was ruled unlawful by the ECJ last year. Without an alternative agreement in place, companies handling EU citizens' personal data on servers in the US would have been hampered.

The provisions of Safe Harbour were increasingly scrutinised, even before the Edward Snowden disclosures.

Safe Harbour was struck down in October by the ECJ, which claimed that "in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services (in particular the National Security Agency), the law and practice of the US do not offer sufficient protection against surveillance by the public authorities".

This judgement led to much confusion over what might and might not be legal in terms of handling and processing personal data.