Despite its name, the EU-US Privacy Shield agreement announced this week has more to do with shielding U.S. companies from EU legal enforcement action than shielding EU users from privacy violations. And with many European privacy advocates predicting the agreement will fail to pass court scrutiny, the legal limbo over transfers of EU data to the United States could drag on.
Safe Harbor, the previous data transfer agreement, was struck down last October after an EU court ruled it violated European data protection rules. Two days after the deadline for crafting a replacement had passed, American and European negotiators announced a political agreement that would allow U.S. companies to continue to legally transfer personal information and data about European users and store it on U.S. servers.
The text of the agreement has not been published -- European privacy agencies have demanded more detail by the end of the month -- but negotiators said it includes stronger obligations on U.S. companies that handle European data.
U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission.
Again, details about those "robust obligations" have not been revealed.
While U.S. companies -- especially tech giants like Google, Microsoft, and Facebook, which rely heavily on the easy flow of data -- are primarily concerned with reestablishing a legal framework for data transfers, the real issue for Europeans is mass surveillance by government.
U.S. spying has been a contentious issue for European citizens ever since Edward Snowden revealed the extent of NSA surveillance -- and tech companies' compliance. But the agreement's negotiators claim to have established safeguards and transparency over government access to data.
For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access.
While the new agreement pays lip service to the idea of protecting personal data from surveillance, "it's a promise without any possible weight behind it," said Steve Hunt, an industry analyst with Hunt Business Intelligence. Such an agreement "would require policy and oversight that extends far beyond traditional government reach" and would be "so costly and difficult that it would be practically impossible."
The prospect of getting legal redress in the United States is also an iffy proposition. "Republican insistence on exceptions for what they see as U.S. national security interests could complicate compliance even further," the Chicago Tribune points out. "Republican senators are looking to insert a provision that would oblige the Attorney General to certify whether a country whose citizens will have redress don't have policies that endanger U.S. national security."
Not to mention that "we all know how good the NSA is at hiding what it's actually doing from oversight bodies," TechDirt writes. "[By] focusing the agreement on how to allow data transfers without actually tackling how to stop mass surveillance is inevitably a fake solution."
Several privacy groups have called on the United States to improve its privacy laws to match those in Europe. "The problem is that the U.S. remains unchanged," said Marc Rotenberg, president of the Electronic Privacy Information Center.
Max Schrems, whose complaints about Facebook's handling of personal data ultimately brought down Safe Harbor, was skeptical Privacy Shield would withstand legal challenge: "The [European] Court has explicitly held that any generalized access to such data violates the fundamental rights of EU citizens. [And] the Commissioner herself has said this form of surveillance continues to take place in the US."
European data protection authorities also have doubts about Privacy Shield. "We have concerns, in particular with the scope of the surveillance and the remedies," said Isabelle Falque-Pierrotin, France's privacy chief.
Ultimately, EU-US Privacy Shield is what Computerworld calls a win-win in diplomatic terms: "The EU gets a solemn promise of privacy protections, which its voters want. And the U.S. gets no delays in data transfers, which U.S. companies want."
It remains to be seen whether European privacy advocates -- and courts -- will be content with a lose-win in reality.