European and U.S. negotiators on Tuesday agreed on a set of privacy obligations for U.S. firms moving European citizens’ data across the Atlantic, replacing a framework struck down in October on grounds it did not sufficiently respect data privacy.
The new pact, dubbed the EU-US Privacy Shield, effectively gives U.S. firms a reprieve from the great uncertainty resulting from last year’s decision by Europe’s highest court that invalidated the “Safe Harbor” framework and jeopardized the ability of thousands of U.S. companies to move across the Atlantic.
But the text has not been formally released, and officials have given out only a few details. The agreement in principle calls for companies to agree to “robust obligations” to protect European personal data and enables Europeans who feel their data has been accessed by U.S. intelligence agencies to complain to a new ombudsman. It also calls for an arbitration process for Europeans who feel their complaints are not being addressed.
The framework must still be approved in a multi-stage process led by the European Commission. And, most significantly, analysts expect that the deal will be challenged in European courts by data protection authorities or individual plaintiffs who feel it does not go far enough to safeguard their privacy.
“I’m convinced the new agreement will face legal challenges,” said Peter Swire, a Georgia Institute of Technology law professor who helped negotiate the original Safe Harbor agreement. “I expect the complaints to make it back to the European Court of Justice.”
The court last year ruled that Safe Harbor was invalid on grounds that it placed national security and law enforcement requirements over Europeans’ fundamental privacy rights.
“We are confident that we have met the requirements of the [ECJ] ruling,” U.S. Commerce Secretary Penny Pritzker said in a media call Tuesday. The new agreement, she said, “will allow the digital economy in the European Union and United States to grow, which is so critical to jobs and economic security.”
On the call, Pritzker said the Federal Trade Commission has agreed to cooperate with the European data protection agencies on complaints lodged by Europeans about alleged mishandling of their data. She said the framework provides for eight means for Europeans to pursue complaints. The new arbitration process, apparently, is one of them.
A European Commission news release describing the deal said, “For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms.”
But Michael Vatis, a partner at Steptoe & Johnson, noted that “the U.S. has always taken the position that access by law enforcement and intelligence agencies to data is subject” to such safeguards. “This seems like an enormous fig leaf,” he said.
The news release also said that the Commerce Department will monitor whether companies publish their privacy commitments, which will be enforceable by the U.S. Federal Trade Commission. Though FTC enforcement action is important, it is unclear what Commerce Department officials will do if a company fails to publish its commitments. “That is a huge unknown,” Vatis said.
The deal is not a treaty but will be carried out at the executive-branch level with an exchange of letters, European officials said.
U.S. industry groups praised the deal. “We believe it is hugely significant that they have come to an agreement,” said Victoria Espinel, president and chief executive of the group BSA. “We were in a world that had a lot of confusion and unpredictability. We are now well on our way in moving back toward predictability and stability.”
But some were also skeptical that the issue was resolved. While the agreement is “an important milestone,” said Daniel Castro, a vice president at the Information Technology and Innovation Foundation, “the big question right now is whether the agreement will withstand the inevitable court challenge.” If it does, it could greatly boost the digital economy. “But until this is settled,” he said, “there is still a shadow of uncertainty for companies operating on both sides of the Atlantic.”
Max Schrems, an Austrian citizen whose 2013 complaint against Facebook with the Irish data protection commissioner led to the European Court of Justice ruling, called the agreement “laughable.”
He mocked the exchange of letters.
“With all due respect,” he said, “but a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run.”
The Center for Democracy and Technology, a privacy group, said the pact seems to provide additional protections for E.U. citizens. But absent reform of U.S. surveillance law, said Jens-Henrik Jeppesen, the group’s director of European affairs, “it is highly unlikely that the Privacy Shield agreement will be deemed sufficient by the court of justice.”