National reps—as expected—give EU-US data transfer pact a grudging thumbs up.

Jennifer Baker

Privacy Shield is still likely to face a legal challenge.

Updated @ 13:08 GMT, July 8—As expected, the Article 31 committee of national representatives waved through Privacy Shield on Friday morning.

Original story

BRUSSELS—Privacy Shield—the much maligned replacement to the Safe Harbour deal between the European Union and the US—looks set to be approved by national representatives on Friday, Ars understands.

The scheme, which will allow the transfer of personal data from the EU to the US despite privacy and data protection concerns, has faced an uphill battle. Brussels officials who negotiated the deal on behalf of the EU have been desperate to push it through in the face of criticism from the European Data Protection Supervisor, national data protection authorities, and the European Parliament, in order to give some legal certainty to companies that rely on transatlantic data flows.

Many businesses have been in legal limbo since the Safe Harbour agreement was ruled invalid by the European Court of Justice (CJEU) last year. It found that—in light of Edward Snowden’s disclosures of US National Security Agency spying—personal data wasn't safe.

A vote from the Article 31 group, made up of representatives from all EU member state governments, is the final hurdle. It has been critical of the deal up to now, but sources told Ars that having finally seen the text—after two false starts where the expected document wasn't presented—it will concede that enough assurances have been given by the US for the deal to be cleared.

The agreement is expected to be discussed by the European Commission next Monday, it will then be formally approved on Tuesday, followed by the deal being inked by justice commissioner Vera Jourová and US secretary of commerce Penny Pritzker on Tuesday, Commission sources confirmed to Ars.
On Monday afternoon Jourová faces a grilling from MEPs sitting on the justice and civil liberties committee, but at that point it will be too late for any intervention.
“My understanding is that the Article 31 committee approval is pretty forthcoming. Others like Max Schrems or some MEPs may be less enthusiastic but for them nothing short of the European Commission walking on water would be good enough,” law partner in the global privacy and cybersecurity practice of Hogan Lovells, Eduardo Ustaran, told Ars.

There have been substantial improvements to the text originally criticised by MEPs, according to Bruno Gencarelli, who is head of the commission’s data protection unit. Changes include stronger rules on data retention, onward transfers and safeguards on access to data by public authorities, as well as a US ombudsman “fully independent from intelligence agencies,” he told a privacy laws conference in Cambridge on Wednesday.

He added that companies will need to update their data management procedures and will not simply be able to reply on old Safe Harbour processes.

Earlier this week, Germany's Hamburg data protection watchdog Johannes Caspar told local media that the Article 31 negotiations behind closed doors lacked transparency. He argued that the commission’s desire to push the deal through as quickly as possible may undermine any real regulatory certainty.

Privacy watchers predict that the deal will end up before the CJEU again before too long.