Good news: A Safe Harbor agreement has been made! But (as always) take this with a grain of salt—legal battles may await it.

The move comes with a huge sigh of relief from companies and workers around the world. When the US-EU Safe Harbor agreement was invalidated back in October, it was seen by almost everyone as the worst case scenario: The European Court of Justice (ECJ) had totally scrapped a pact relied on by thousands of companies to navigate the transfer and storage of EU citizens’ personal information on U.S. servers without running afoul of any European privacy laws.

Photo Credit: Global Water Partnership - a water secure world cc
Photo Credit: Global Water Partnership – a water secure world cc

Though their case was not without merit (protest of the reportedly indiscriminate surveillance practices of the U.S. government) it didn’t make the loss of Safe Harbor any easier.

As time passed thing only seemed more dire. And as the old Safe Harbor’s expiration date on January 31 passed with no agreement reached, businesses started steeling themselves as regulators frantically convened.

But now, after more than three months of often tense negotiations, the wait is over; Safe Harbor 2.0 is here. The forth-coming “EU-US Privacy Shield” as it’s been dubbed had a few commitments announced Tuesday, and over the next few weeks will be drafted into a formal framework. With billions at stake, many were clamoring for answers.

But until that’s published, the exact framework is a bit hazy. In the meantime, the European Commission have announced that the new arrangement will include the following at least:

  • Strong obligations on the part of the U.S. on how to handle personal data, coupled with “robust enforcement” – U.S. companies who want to import personal data from Europe will have to abide by vigorous obligations about how personal data is processed and what individual rights are guaranteed. Companies will be monitored by the Department of Commerce to ensure they publish their commitments.
  • Greater oversight and safeguards on the part for U.S. government access –  For what the press statement calls the first time the EU has received written assurances from the U.S. that the access of law enforcement and national security will be subject to clear limitations, safeguards, and oversight mechanisms—and exceptions will only be used to the extent “necessary and proportionate.” Manifestly, the U.S. has ruled out indiscriminate mass surveillance of EU personal data, and will submit to an annual joint review with the FTC, European Data Protection Authorities (DPAs), and national intelligence experts from the U.S.; which will also include the issue of national security access. (Earlier this week, however, EU Justice Commissioner Vera Jourová noted that there will be three exceptions for when mass surveillance will be allowed).
  • Effective protection of EU citizens’ rights with several options to review – Under the new framework, any citizen who considers their data misused can redress in several ways, including giving companies deadlines to reply to complaints and allowing DPAs to refer complaints to the Department of Commerce and the FTC. Alternative dispute resolution will be free of charge, and a new special Ombudsperson will be created to follow complaints referred.

It’s certainly more than nothing, but for the time being it’s clearly still being sketched out. However, that hasn’t stopped opponents from announcing their skepticism—and threatening legal action.

Many agencies and watchdogs have already stated that they will support further restrictions on how companies can move data if they suspect it is still being misused under the Privacy Shield. That doubt is not without reason: Max Schrems, the privacy campaigner whose legal action against Facebook ultimately triggered the collapse of Safe Harbor, released an initial statement skeptical of the new Privacy Shield, stating the continued surveillance “will be a sticking point for a new challenge before the [European Court of Justice].” Like MEP Jan Philipp Albrecht or some in the U.S. privacy community, the main issue is that nothing has legally changed on the side of the U.S.

“This new framework amounts to little more than a reheated serving of the pre-existing Safe Harbour decision,” said Albrecht, who called it an affront to the ECJ and EU citizens that will certainly be headed to the ECJ. The proposal foresees no legally binding improvements. Instead, it merely relies on a declaration by the US authorities on their interpretation of the legal situation regarding surveillance by US secret services, as well as the creation of an independent but powerless Ombudsman, who would assess citizens’ complaints.”  

Additionally, as  Marcus Evans, Boris Segalis, Adam Smith, and Christoph Zieger note for the Data Protection Report, the announcement yesterday was just the first step and corporations aren’t in the clear yet:

For the framework to succeed, the Commission also must convince the Article 29 Working Party (made up of representatives of the 28 EU Member State Data Protection Authorities) that it addresses their concerns and the ECJ decision in Schrems. The Article 29 Working Party will begin to consider these questions on February 3, 2016. It is understood that Member State Data Protection Authorities were consulted during negotiations, but their formal approval will be needed to calm fears that the new framework will be immediately challenged by the Data Protection Authorities, who have been deemed the ultimate decision makers by the CJEU in Schrems (as they will be in the front line receiving complaints from Mr. Schrems and other privacy activists and will then have to decide whether to suspend flows or face possible judicial review actions and ultimately further referrals to the CJEU as to the validity of such transfers or the arrangement).

EU Data Protection Authorities had agreed to refrain from taking enforcement action against companies that had relied on the US-EU Safe Harbor and which had not put in place an alternative export solution. This enforcement moratorium expired on January 31, 2016. They must also decide if they will extend this moratorium until the EU-US Privacy Shield comes into force.

After a little over three months of tense, quiet negotiations, it’s nice to finally have something to take to the data bank. But like any major regulation, this is only just the beginning.