U.S. and European Union officials on Monday published new details of a hard-fought data-privacy accord agreed to earlier this month, adding new grist to political wrangling in Europe over the proposed agreement.
If finalized, the deal would re-establish an easy way for businesses to transfer personal information about Europeans to servers on U.S. soil. A prior agreement used by thousands of companies including Facebook Inc. and Alphabet Inc.’s Google was invalidated last year by the EU’s top court because of concerns over alleged U.S. surveillance.
In addition to tighter rules for private companies handling Europeans’ data, the new agreement obliges the U.S. to create a new U.S. ombudsman to follow up complaints about surveillance of Europeans. The 128-page package, known as “Privacy Shield,” also includes a letter from the office of the Director of National Intelligence that details U.S. intelligence practices and asserts that the U.S. doesn’t “engage in indiscriminate surveillance of anyone.”
Monday’s publication of the deal is likely to kick off protracted tussles in Brussels that will end up back to court. Lawyers say that could leave businesses in sectors ranging from retail to technology girding for legal challenges to trans-Atlantic data transfers underpinning billions of dollars of trade.
It also comes at the same time as businesses are preparing to cope with an EU privacy law expected to go into force in two years’ time.
The basic elements of the data deal have been known for nearly a month. While the agreement has been under discussion for years, negotiators from the EU and U.S. scrambled to reach the new data agreement—announced in early February—after the Luxembourg-based EU Court of Justice struck down the prior agreement, dubbed “Safe Harbor.”
Privacy advocates in the EU were quick to assail the commitments detailed on Monday as too weak to contain the behavior either of companies or of U.S. intelligence agencies.
“I really see some huge question marks with regard to the legal added value,” said Jan Philipp Albrecht, a staunch privacy advocate in Europe’s Parliament, representing the Green Party. “My impression is it will be very hard to justify.”
But officials at the European Commission, the EU’s executive arm, which negotiated the deal, rejected that criticism and said their work would withstand legal challenges.
“We believe that this is a watertight system,” a senior commission official said after the announcement. “We have done our best to build a sustainable system in the interest of both citizens and businesses.”
Technology lobby groups, including some that represent Facebook, Amazon.com and Google, were quick to praise the text, and urged EU member states to endorse the framework as providing sufficient protections for Europeans.
“We applaud the EU and U.S. for agreeing strong privacy safeguards that limit government access to commercial data,” Christian Borggreen, international policy director for the Computer & Communications Industry Association, said in a statement.
Separately, EU privacy regulators will also be poring over the details of the deal to see if it passes muster. Regulators would likely be the first recipients of complaints from Europeans about the handling of their data.
The role of the new U.S. ombudsman to investigate complaints about U.S. intelligence practices may be a subject of particular debate. The agreement states that the ombudsman’s office will be part of the U.S.’s State Department, and have authority to investigate complaints from Europeans that are referred by EU entities.
Under the terms stated in a Monday’s disclosure, the ombudsman will be obliged to report back that intelligence agencies have respected their legal commitments, or if not, to state that “such noncompliance has been remedied.” But the text specifies that the ombudsman won’t be able to say whether a person was actually under surveillance or the specific remedy applied.
“The EU and the U.S. tried to put about 10 layers of lipstick on a pig, but the core problems were obviously not solved,” said Max Schrems, the privacy activist whose initial lawsuit led to the overturning of the prior Safe Harbor agreement.
U.S. officials have rejected those characterizations of the deal or U.S. intelligence practices, saying that the EU and U.S. provide similar levels of protection, even if the EU and U.S. have different legal structures. U.S. officials have also underscored the economic consequences of arriving at a deal.
U.S. Commerce Secretary Penny Pritzker said in a statement Monday that the new agreement “provides certainty that will help grow the digital economy by ensuring that thousands of European and American businesses and millions of individuals can continue to access services online.”
(Published by The Wall Street Journal - February 29, 2016)