Members of the European Union (EU) on Friday approved the final version of the Privacy Shield, a pact between the EU and the US that sets the terms for trans-Atlantic transfers of personal data. The EU Commission will formally adopt the agreement on Tuesday.
Lawmakers provisionally agreed to the Privacy Shield in February, after months of negotiating an agreement to replace Safe Harbor, the data-sharing agreement declared "invalid" by the European Court of Justice in October. Safe Harbor came under scrutiny after the Edward Snowden disclosures raised new concerns about the US' mass surveillance practices.
Not all EU Member States voted in favor of Privacy Shield -- Austria, Slovenia, Bulgaria, and Croatia all abstained, sources told Reuters. Austria and Slovenia have said the pact does not go far enough to secure the privacy of their citizens.
However, DigitalEurope, the industry group that represents firms including Apple, Google, and IBM, praised the final agreement in a statement Friday. The group noted that the final text improves upon the version cleared in February, offering greater clarity on data retention and stronger obligations regarding the continued transfer of data to third countries. Additionally, the group said the final version offers greater assurances against the bulk collection of data, as well as more clarity on the role of the ombudsman that the US will create within the State Department to handle data privacy complaints from EU citizens.
"We are pleased that the Privacy Shield mechanism has received broad support from Member States," DigitalEurope Director General John Higgins said in a statement. "While negotiations have not been easy, we congratulate the European Commission and the US Department of Commerce on the hard work over the past months aimed at restoring trust in data transfers between the EU and US."
US lawmakers went a step further to restore that trust earlier this year, with the passage of the Judicial Redress Act, which lets Europeans bring civil actions in the US if agencies there intentionally violate the US Privacy Act when handling personal data. The bill, which was not a required part of Privacy Shield, was signed into law by President Barack Obama in late February.
While the Privacy Shield is set to go into effect, both the EU and the US may eventually have to engage in further negotiations with the British government over the handling of its citizens' data, given that the UK recently voted to leave the EU.