U.S. and European Union negotiators reached an agreement on Tuesday to preserve European users’ privacy when data is transferred to servers in the United States, and maintains the ability of U.S. tech companies to legally store European data on their U.S. servers.
The new rule is set to replace a 2000 “safe harbor” agreement between the U.S. and E.U. that set minimum standards for data privacy and allowed thousands of companies a streamlined way to certify they were in compliance with those standards. That agreement was invalidated last year by the European Court of Justice, after a complaint by Austrian privacy activist Max Schrems, who argued that Facebook’s compliance with the safe harbor rules wasn’t enough to protect European users’ data from U.S. mass surveillance programs.
“Mr Schrems referred in this regard to the revelations made by Edward Snowden concerning the activities of the United States intelligence services, in particular those of the National Security Agency,” the European court wrote in its decision.
U.S. and E.U. officials had agreed to a grace period, where companies could still transfer data to the U.S. at least through Jan. 31 under standardized privacy-protecting contract terms known as “model clauses.” But when that date passed without an agreement on new safe harbor rules, big tech companies like Apple, Facebook, Google and Microsoft, as well as thousands of smaller organizations, began to risk costly individual scrutiny by European privacy regulators for their routine transfers of European user information to U.S. data centers.
The U.S. agreed to create a new ombudsman position to review European privacy concerns and to limitations on governmental access to European data.
“The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the U.S. under the new arrangement,” the European Commission said in a statement. “To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access.”
As in the previous safe harbor rules, routine privacy complaints will also be reviewed by the Federal Trade Commission.