The EU and US have agreed the final changes to a new data protection agreement known as the EU-US Privacy Shield.
The agreement is designed to replace the Safe Harbour pact, which the EU Court of Justice ruled invalid in 2015.
One key change is a commitment from the White House regarding bulk collection of data sent from the EU to the US.
The UK’s Information Commissioner said a post-Brexit UK may have to adopt EU data protection rules to trade with it.
If approved by the EU member states, the pact could take effect in July.
The EU-US Privacy shield is designed to make it easy for organisations to transfer data across the Atlantic.
Key points of the agreement are:
- The US will create an ombudsman to handle complaints from EU citizens about the Americans spying on their data
- The US Office of the Director of National Intelligence will give written commitments that Europeans’ personal data will not be subject to mass surveillance
- The EU and US will conduct an annual review to check the new system is working properly
However, in May the European Data Protection Supervisor (EDPS) said the Privacy Shield agreement needed to provide “adequate protection against indiscriminate surveillance” and “obligations on oversight, transparency, redress and data protection rights”.
The agreement has now been amended. Some of the changes include:
- A written commitment from the White House, stating that bulk collection of data sent from the EU to the US can only occur under specific preconditions and must be “as targeted and focused” as possible
- More explicit data retention rules: companies now have to delete data that no longer serves the purpose for which it was collected
- A specification that the ombudsman will be independent from national security services
A spokesman for the European Commission said: “This new framework for transatlantic data flows protects the fundamental rights of Europeans and ensures legal certainty for businesses.”
While the EU-US Privacy Shield agreement would only apply to the UK while it remained a member of the European Union, the UK’s Information Commissioner said Britain would probably need to adopt similar terms.
“If the UK wants to trade with the single market on equal terms we would have to prove ‘adequacy’ – in other words, UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018,” said a spokeswoman for the Information Commissioner’s office in a statement.
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens.”