European negotiators needed six extra weeks, 10 extra pages and a series of assurances from their U.S. colleagues, but on Friday the new transatlantic data transfer deal cleared its final hurdle.
National data experts cast their votes — although four countries abstained — for a deal allowing companies to sign up to the “privacy shield” and transfer data, like payroll information and family photos, across the Atlantic.
The text will be endorsed by all EU commissioners in a meeting Monday. Justice Commissioner Věra Jourová and U.S. Secretary of Commerce Penny Pritzker will give the final stamp of approval Tuesday.
Both sides hope this ends some nine months of uncertainty for more than 4,000 companies.
“This is the first stepping stone to rebuild trust in transatlantic data flows, after months of uncertainty. This recreates trust, it offers some kind of beacon for Europeans for the future,” said Thomas Boué, European director general at BSA|The Software Alliance, which represents major tech players.
However, many inside and outside of the European Commission have doubts.
First, privacy activists are ready to challenge the deal in court, and even negotiators are braced for the worst. That raises the second concern, that companies will be reluctant to sign on out of fear the deal will ultimately be struck down.
Doubts weighed on the negotiators.
Four national data experts — meeting in the Article 31 Committee — abstained: Austria, Bulgaria, Croatia and Slovenia. Some countries don’t think the deal will survive legal challenges.
Austria was known to have reservations. The country is proud of its own data protection regime and previously voted against the EU’s General Data Protection Regulation because it deemed it too weak. Slovenia and Croatia sided with Austria, while Bulgaria apparently didn’t have voting instructions from its capital.
There were also objections within the Commission to the deal, which allows companies to send EU citizens’ data to U.S.-based offices and partners, but still allows for U.S. government parameters of surveillance.
According to the Commission, the deal “is fundamentally different” from the former “safe harbor” pact because “it imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice,” read a statement by Commission Vice President Andrus Ansip and Commissioner Jourová.
But the criticism gives ammunition to privacy activists.
“They walked a mile but they should have walked a hundred miles,” Austrian privacy activist Max Schrems told POLITICO. Schrems challenged the safe harbor agreement before the European Court of Justice and won in October.
Businesses have since been in legal limbo. The ECJ ruled that safe harbor violated Europeans’ rights to privacy under the EU Charter of Fundamental Rights, forcing companies to resort to more complicated and costly solutions.
They have been pushing for a new agreement for months.
The EU and U.S. hammered out a draft in February. Instead of applause, the deal was criticized by national data agencies that must enforce it, as well as from the EU’s own Data Protection Supervisor and from the European Parliament.
Critics pointed out weaknesses, including that U.S. intelligence agencies retain their power to snoop on EU citizens’ data in bulk and that the ombudsman’s office, meant to defend Europeans’ interests in the U.S., lacks independence.
The European Commission and U.S. representatives of the Department of Commerce went back and forth for months over the fine print.
A final deal was struck June 24, and national representatives buried their concerns, reluctant to erode the value of the EU as the U.K. voted to leave.
When Jourová and Pritzker sit down Tuesday, they’ll stamp a deal no one is convinced will last.