After intense negotiations between senior EU and U.S. officials throughout the weekend and into this week, the European Commission announced Tuesday it has reached a new transatlantic data transfer agreement with the United States. The U.S. Department of Commerce later confirmed details in a conference call with reporters.

Though not yet legally binding, the agreement would pave the way for a new accountable regime for data transfers, that both provides EU citizens with a right of redress, involves written assurance from the U.S. that any surveillance on EU citizens will be limited and proportionate, creates a new position in the Department of State to help address surveillance concerns from EU citizens, and establishes an annual joint review of the framework.

Speaking at a press conference in Strasbourg, France, European Commission Vice-President Andrus Ansip said, “Our businesses, especially the smallest ones, have the legal certainty they need to develop their activities across the Atlantic.” He also said the agreement “helps us build a Digital Single Market in the EU” and strengthens relations with the U.S.

Called the EU-U.S. Privacy Shield, the new agreement "will protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies,” said Commissioner Věra Jourová. “For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms.”

During the conference call held Tuesday morning, Department of Commerce Secretary Penny Pritzker said she was “pleased” to announce the new deal, and specifically thanked Jourová and her team “on their incredible and focused work over the past two-and-a-half years.” She added, “It’s been a long road, but now we’ve turned a corner” which “signals the closeness of the U.S.-EU relationship.”

The European Commission has said that any new data transfer arrangement would have to withstand scrutiny from the European Court of Justice (ECJ), the judicial authority that invalidated the former Safe Harbor agreement, and when asked directly about whether this new agreement will withstand a challenge, both Jourová and Pritzker responded in the affirmative, saying the ruling had been a guideline for the negotiations. “Of course,” Jourová said, “there might be new complaints and new court rulings, but I’m also pretty sure this new scheme will withstand any assessment from a legal point of view.”

Though the Commission has not disclosed any written text of the EU-U.S. Privacy Shield agreement, the College of Commissioners approved the political agreement on Tuesday. Jourová also said she has spoken with Article 29 Working Party (WP29) Chairwoman Isabelle Falque-Pierrotin and will officially present the agreement to the data protection authorities (DPAs) Wednesday in Brussels. It is not yet known how the WP29 will react to the new agreement. They are, however, expected to issue a statement on the data transfer regime on Wednesday.

U.S. Secretary of State John Kerry has agreed to create a new position, an "ombudsman," within the State Department to follow up on complaints from EU citizens on U.S. surveillance and respond to inquiries about national security access to personal data upon referral from the WP29. “This is a new tool specifically designed for this arrangement,” Jourová explained. Plus, she said, once the Judicial Redress Act is passed by the U.S. Congress, EU citizens will have access to U.S. courts in cases of law enforcement purposes.

The European Commission and U.S. Department of Commerce will also meet for an annual joint review of the framework, as well as whether the U.S. Office of the Director of National Intelligence is living up to its written assurance that surveillance of EU citizens will be limited and proportionate. “This will not be a one-off, but a continuous process,” Jourová said.

Companies that agree to the EU-U.S. Privacy Shield must commit to “robust obligations” on how personal data is collected and processed and that individual rights are guaranteed. Businesses in the agreement will publish their commitments, which will then be monitored by the DoC and enforced by the U.S. Federal Trade Commission. Companies handling human resources data from Europe will also have to commit to complying with decisions made by the WP29.

Notably, and as was stated yesterday during Jourová’s speech to the LIBE Committee, the agreement would require that all citizen complaints be addressed through a multi-layered approach. Ideally, Jourová said, companies will be the first point of contact for a resolution. If not, then a free alternative resolution mechanism would be created to help with complaints. European DPAs could also refer complaints to the DoC or Federal Trade Commission. To ensure no complaint goes unresolved, Jourová said the agreement will include a “last resort mechanism” for individuals, though details on this have not been presented.

Moving forward, Jourová and Ansip will prepare a draft “’adequacy decision’ in the coming weeks.” The College of Commissioners would have to adopt the decision after receiving formal advice from the WP29 and after consulting with a committee of Member State representatives. Jourová said this may take up to three months.

The U.S. would also have to “make the necessary preparations to put in place the new framework,” including how it will monitor commitments and implement a new ombudsperson. In describing the role of the new ombudsperson, a senior Commerce official said “it will be implemented in the State Department, outside the intelligence community, allowing cooperation between that ombudsman and the necessary parties in other agencies, and allowing that person to leverage independent oversight and other functions over the intelligence community.”

The Commerce Department official also said it would soon hold briefings on the new obligations that U.S. companies would have to abide by, but could not provide details, other than saying "there will be a number of things that will be changing under Privacy Shield." There was no indication that the 4,400 companies previously Safe Harbor certified would have any head start toward compliance with the new agreement. 

Naturally, the new agreement has many critics.

Austrian lawyer and privacy activist Max Schrems, whose work ultimately led to the invalidation of the Safe Harbor agreement, said, “With all due respect, but a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit U.S. law allowing mass surveillance.”

German Green MEP Jan Phillipp Albrecht, who helped guide the General Data Protection Regulation into fruition, also took to Twitter to state that no official text means there is no official agreement.

Yesterday, during Jourova’s speech to the LIBE Committee, Dutch MEP Sophie in ‘t Veld said, “We have to look at the agreement in more detail … We’re not talking about negotiations, we’re talking about whether the U.S. offers legitimate safeguards. You talked about written assurances from the administration, but there will be a new administration next year. What does that mean if there’s a new Trump administration or Sanders administration?"

In response, Jourová and Ansip stressed the framework is a living agreement that will undergo continuous review. Ansip said the new arrangement “means we won’t wait 13 years to fix any problems. We will fix all those problems immediately – that’s the difference between the old Safe Harbor and the Privacy Shield.” 

Top image courtesy of the European Commission.