European Union privacy watchdogs will let a new EU-U.S. commercial data pact underpinning billions of dollars of transatlantic trade run for at least a year without any legal challenge, they said on Tuesday.
The previous such framework, Safe Harbour, was struck down by the EU’s top court last October on the grounds that it allowed U.S. agents too much access to Europeans’ data.
The new EU-U.S. Privacy Shield will allow companies to transfer personal data from the EU to the United States – from human resources information to individual browsing histories to hotel bookings.
Since Safe Harbour was struck down, thousands of companies including Alphabet Inc’s Google and Microsoft , have been mired in legal limbo, forcing them to rely on more cumbersome mechanisms for legally transferring Europeans’ data to the United States.
Revelations three years ago from former U.S. intelligence contractor Edward Snowden of mass U.S. surveillance practices caused political outrage in Europe and stoked mistrust of big U.S. tech companies.
The chair of the group of 28 EU data protection authorities said on Tuesday that the regulators would not launch any challenges to the new Privacy Shield until it has gone through its first annual review, expected sometime next summer.
“The first joint review will be a time in which we will make an evaluation of the Privacy Shield and also a time where additional propositions could be made (by the U.S. government),” Isabelle Falque-Pierrotin, who heads the French data protection authority, told reporters.
Falque-Pierrotin said the regulators still wanted evidence from the U.S. government that its commitment to not conduct mass and indiscriminate surveillance would be met.
The powers and independence of a new U.S. privacy ombudsperson who will deal with complaints from EU citizens about U.S. surveillance practices could also be strengthened, Falque-Pierrotin said.
She added that the regulators would have to investigate any complaints from individuals about the functioning of the framework but these would be “a case by case analysis.”
Falque-Pierrotin said that the legality of the other mechanisms firms have been using in the meantime, so-called standard contractual clauses which establish privacy protections between groups and binding corporate rules would also be assessed after the first joint review of the Privacy Shield.
“If the situation is considered as OK at the first annual review on the public security side, it is going to have an impact also on the other transfer tools by reaffirming their legal robustness,” she said.
EU data protection authorities had demanded improvements to the Privacy Shield in April, forcing EU and U.S. officials back to the negotiating table to strengthen the privacy protections in the framework.