The revamped data transfer deal between the EU and U.S. cleared a major obstacle Friday and looks to be ready for formal adoption early next week. The Article 31 Committee – a group of national representatives from the 28 EU Member States – approved the EU-U.S. Privacy Shield, with four representatives abstaining. 

In a joint statement, European Commission Vice-President Andrus Ansip and Justice Commissioner Vera Jourova said Member States “have given their strong support to the EU-U.S. Privacy Shield” paving “the way for formal adoption” of the agreement. “Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice,” they said.

“Today’s vote by the Member States is a strong sign of confidence,” Ansip and Jourova added.

Not all Member States agreed, however, with four choosing not to vote for approval. A diplomatic source told EurActiv that the European Commission was “paranoid” that if the abstaining countries were named, support for the agreement could be diminished, adding they were “very concerned that Member States will not help protect Privacy Shield.”

An official from the European Commission said that keeping voting breakdowns secret is standard in comitology votes such as this one.

Politico reports, however, that the four abstaining countries were Austria, Croatia, Slovenia, and Bulgaria.

The diplomatic source also told EurActiv the four countries that abstained will be “extremely vigilant” during the Shield’s annual review. “This is not going to be a box-ticking exercise, this is going to be a very detailed and in-depth review. Only adjustments from the review can save this from the (Court of Justice of the EU).”

The Article 29 Working Party – the collection of national data protection authorities from the EU – has also expressed concern, both in the past and on Friday, about the deal. A spokeswoman from the group told TechCrunch: “The main concern for everyone with the Shield is the need of robustness to avoid re-opening a period of uncertainty for companies, citizens and data protection authorities. It is already nine months since everything stopped.” 

The Working Party will meet on July 25 to review the new arrangement.

Julie Brill, who helped with the Privacy Shield negotiations when she was a commissioner with the U.S. Federal Trade Commission, told Privacy Tracker in an email that the adoption by the national representatives "is an important step" but conceded there "will be other important steps, including review by the Court of Justice of the EU." But that's not all, she warned, "Standard Contractual Clauases are also going to be reviewed by the CJEU."

But with a note of optimism, she added, "I believe Privacy Shield's enhanced privacy protections - especially with respect to onward transfer - and improved redress mechanisms - with respect to data collection and use by both companies and government - could result in Privacy Shield becoming the transatlantic data transfer mechanism that is most favored by the CJEU and European DPAs." 

DIGITALEUROPE – a group that represents the digital technology industry in Europe, including member such as Apple and IBM – applauded the Member State approval.  “We are pleased that the Privacy Shield mechanism has received broad support from Member States, said DIGITALEUROPE Director General John Higgins. “While negotiations have not been easy, we congratulate the European Commission and the U.S. Department of Commerce on the hard work over the past months aimed at restoring trust in data transfers between the EU and U.S.”

Higgins also added his hopes that the new deal “will ease some of the recent pressure on alternative transfer mechanisms, particularly standard contractual clauses, so that Europe can get back to focusing on how international data flows can play a part in contributing to economic growth.”

Digital rights group Privacy International said the new deal is simply an old problem. The group detailed four concerns it has with the agreement, including that it comprises “opaque documents that will be a field day for law firms”; concerns that not all the annexes meet the framework’s stated principles; it contains a lack of meaningful protections from mass surveillance; and a lack of independence of the proposed ombudsperson in the U.S.

Privacy International continued: “Because (Privacy Shield) fails to address the concerns expressed by the Court of Justice of the EU in the Schrems’ case last year, the new Privacy Shield is likely to be challenged in court.”

Max Schrems has already said he would challenge the legality of the agreement as soon as it’s finalized. 

The European Commission is expected to meet next Monday and then formally approve the deal Tuesday. U.S. Department of Commerce Secretary Penny Pritzker is also expected to be present during the formal adoption next week. 

Top image courtesy of the European Commission