Representatives of the 28 states of the European Union approved the final version of the Privacy Shield agreement between the United States and the EU on July 8.
This is the final step before the agreement is formally adopted by the European Commission, which is expected to happen during the week of July 11. The Privacy Shield agreement is intended to protect the privacy of EU citizens as data about them flows between the EU and the U.S. and while that data is stored in the U.S.
The Privacy Shield replaces the former Safe Harbor agreement that was supposed to accomplish the same thing. But documents leaked by former National Security Agency analyst Edward Snowden showed that the Safe Harbor agreement was frequently ignored by the intelligence agency and that companies didn't always deliver on their promises of privacy following their self-certification. The Privacy Shield requires written assurances by the U.S. that it will respect European privacy laws for data stored in the U.S.
However, a number of privacy advocates in the EU have threatened to take the agreement to court, claiming that it doesn't go far enough in protecting the privacy of EU citizens. In addition, if the United Kingdom abides by the results of a recent referendum and pulls out of the EU, it's possible that the UK and U.S. would have to negotiate a separate privacy agreement.
Negotiators reached initial agreement on the Privacy Shield framework on Feb. 2. The proposed agreement went through the review process required in the EU, first by national data protection authorities, then by the EU's Data Protection Supervisor, both of which expressed reservations. However, neither has the authority to block the deal.
The EU parliament approved the Privacy Shield in May, which allowed the agreement to move along to final approval by the 28 member nations.
Once the agreement receives formal approval by the European Commission, the agreement will be in force. The U.S. Congress has already passed its enabling legislation in the form of the Judicial Redress Act, which gives EU citizens privacy rights similar to U.S. citizens.
The Privacy Shield agreement is critical to enable the free flow of information between the U.S. and the EU. This data may include anything ranging from employee payroll data of companies with operations on both sides of the Atlantic to financial data used by banks and credit card companies.
Equally important, especially to European privacy advocates, is the data collected by U.S.-based Internet services such as Facebook and Google, both of which have faced criticism in Europe. Google's situation is under particular scrutiny, with European moves to require it to allow people to be forgotten.