U.S. and European officials have unveiled the formal version of a trans-Atlantic data transfer pact that will be a crucial underpinning to the massive amounts of economic activity between the two geographies. It replaces the previous "safe harbor" agreement that the EU's high court invalidated last year.

While the new pact represents progress, it must pass muster with EU nations, and also shouldn't be considered a full answer to the question of how citizens' data should be protected. 

Here are the details of the formal agreement, as reported by the New York Times:

The pact is the formal version of an agreement hashed out in early February after often-bitter negotiations, revamping the rules for how technology giants like Facebook and other conglomerates like General Electric look up, collect and manage online data, including social media posts, search queries and e-commerce purchases.

As part of the new agreement — known as the E.U.-U.S. Privacy Shield — companies will face stricter rules over how they move people’s digital data from the European Union to the United States. American officials have also agreed to new limits on the powers of the country’s intelligence agencies to gain access to Europeans’ online information when it is transferred to the United States.

The European Commission, the executive arm of the European Union, also gave its official backing on Monday after it released a so-called adequacy decision, an official text required to turn the data transfer pact into law.

Though the agreement still needs to be ratified by European Union member states, that is not expected to be contentious and is likely to happen in the coming months.

Analysis: Best to Temper Expectations

While the wheels may be in motion on the European side for the deal, "I doubt it will not be contentious," says Constellation Research VP and principal analyst Holger Mueller. "The standards are too different in Europe," he says. "And what it ever easy in Europe? So companies are still facing uncertainty and in a legal quagmire, with their European data on US servers. Only one thing is clear: It is getting more and more complex to remain compliant."

Meanwhile, if the new pact passes it will keep trade between the U.S. and EU running smoothly. But as with the invalidated safe harbor agreement, "it's only a very small part of the picture," notes Constellation Research VP and principal analyst Steve Wilson. "These deals are about satisfying one corner of European data protection laws—the transborder flow rules. Transborder data flow rules basically say you must not move data from Europe into a jurisdiction where the privacy protections are weaker. Many counties have the same sort of laws, including Australia."

"Normally, as a business, you would have to demonstrate to a European data protection administration (DPA) that your information handling is complying with EU laws, either because your data center for example is located in a similar jurisdiction, or that you have legally binding measures in place," he adds. "This is why so many data centre providers and cloud services are building infrastructure in the EU."

But there's much more to the data privacy discussion than security and where a data center is located, Wilson cautions. 

"American businesses must not think that just because there is a new get-out-of-jail clause for transborder flows, then their privacy obligations are met," he says. "More important than data protection is collection limitation, usage limitation and transparency. A business under EU privacy laws—and the laws of 100 countries around the world—needs to exercise constraint and openness, above all else."

This can be laid out in terms of five "Ws" and one "H," Wilson says: Tell people what data about them is collected and why; how, when and where it is collected, and who else can gain access to it."

Reprints
Reprints can be purchased through Constellation Research, Inc. To request official reprints in PDF format, please contact Sales.