When the European Commission announced on Feb. 2 the agreement with the United States on how the two U.S. and European Union member nations would handle international data transfers while protecting their privacy, it was hailed as a breakthrough.
But even at the time there were questions about exactly what was agreed to, how it would be enforced and when an official written agreement would see the light of day.
Since then, there has been a lot of public comment that the Privacy Shield, as it's called, is likely meaningless rather than the great negotiation breakthrough as the parties to the talks described it.
Much of the reason its importance is questioned is because there's really nothing to show in terms of an official document and that even the verbal framework that's been worked out will certainly be modified many times in the months or years before a draft is ready for ratification by the various parties.
But there's also a suspicion that the verbal agreement, along with the annual certifications it contains, is more intended to keep European courts from getting involved than to lock in any real improvement in data privacy.
"It doesn't have any teeth anyway," said Teresa Schoch, associate director of the Berkeley Research Group, where she's an expert in data governance. She sees the Privacy Shield agreement as a delaying action to provide time for EU member nations to approve a new set of data privacy regulations.
The General Data Protection Regulation (GDPR), as it's named, has to be ratified by each of the EU member states, which could take another year and a half at least.
The means that the proposed Privacy Shield is nothing more than "a way to say 'we're working on this,' but it's not doing anything but getting things in line for when the new regulation goes into effect," Schoch said.
"No one expects anything in writing for months," she said. "Some nations won't think [the Privacy Shield] is stringent enough, so it will be in limbo for a while."
Schoch said that about 4,400 companies were covered under the previous Safe Harbor agreement that was struck down by the European Courts of Justice last year. Half of those companies don't even realize that Safe Harbor no longer exists and the other half don't know what to do in terms of data protection while the agreement is still being worked out, she said.
Adding to the complexity of the agreement between the EU and the U.S. is the problem that it must be consistent with the new data protection laws being drafted in Europe independent of the Privacy Shied agreement.
This means that the official Privacy Shield agreement, once it's drafted, must be in compliance with the GDPR as ratified by the EU states, adding another layer of uncertainty.