When the European Commission announced on Feb. 2 the agreement with the United States on how the two U.S. and European Union member nations would handle international data transfers while protecting their privacy, it was hailed as a breakthrough.
But even at the time there were questions about exactly what was agreed to, how it would be enforced and when an official written agreement would see the light of day.
Since then, there has been a lot of public comment that the Privacy Shield, as it’s called, is likely meaningless rather than the great negotiation breakthrough as the parties to the talks described it.
Much of the reason its importance is questioned is because there’s really nothing to show in terms of an official document and that even the verbal framework that’s been worked out will certainly be modified many times in the months or years before a draft is ready for ratification by the various parties.
But there’s also a suspicion that the verbal agreement, along with the annual certifications it contains, is more intended to keep European courts from getting involved than to lock in any real improvement in data privacy.
“It doesn’t have any teeth anyway,” said Teresa Schoch, associate director of the Berkeley Research Group, where she’s an expert in data governance. She sees the Privacy Shield agreement as a delaying action to provide time for EU member nations to approve a new set of data privacy regulations.
The General Data Protection Regulation (GDPR), as it’s named, has to be ratified by each of the EU member states, which could take another year and a half at least.
The means that the proposed Privacy Shield is nothing more than “a way to say ‘we’re working on this,’ but it’s not doing anything but getting things in line for when the new regulation goes into effect,” Schoch said.
“No one expects anything in writing for months,” she said. “Some nations won’t think [the Privacy Shield] is stringent enough, so it will be in limbo for a while.”
Schoch said that about 4,400 companies were covered under the previous Safe Harbor agreement that was struck down by the European Courts of Justice last year. Half of those companies don’t even realize that Safe Harbor no longer exists and the other half don’t know what to do in terms of data protection while the agreement is still being worked out, she said.
Adding to the complexity of the agreement between the EU and the U.S. is the problem that it must be consistent with the new data protection laws being drafted in Europe independent of the Privacy Shied agreement.
This means that the official Privacy Shield agreement, once it’s drafted, must be in compliance with the GDPR as ratified by the EU states, adding another layer of uncertainty.
EU, U.S. Privacy Shield Deal Greeted With Claims It’s Meaningless
According to Schoch, the real reasons for the invalidation of the Safe Harbor agreement are also in doubt. The reason that’s been given was the revelations about pervasive data surveillance from former National Security Agency analyst Edward Snowden. But Schoch says an even more critical reason is the legal battle waged by the U.S. Department of Justice to get access to data belonging to a European citizen from a Microsoft server in Ireland.
Worse, she said, European privacy officials don’t think some American companies are protecting data on European citizens the way they are supposed to under current law.
Under the Safe Harbor agreement, U.S. companies could certify themselves as meeting European standards of privacy, but many aren’t actually following those rules according to European assertions. “The Europeans were really ticked off that companies that were supposed to be self-certified didn’t change their activities,” she said.
While the draft of the Privacy Shield agreement will show up eventually, the problems of ensuring data transfer privacy are only going to get worse, said Berin Szoka, president of TechFreedom, a nonprofit think tank devoted to promoting technology that “improves the human condition.”
“This new Privacy Shield is not going to stand up in court,” Szoka said. “It’s a pretense that this is a solution. It’s political fiction.
“Even once the text comes out, the game that the EC is playing is that they’re going to keep moving the ball with a new assessment,” he said. The European Commission will assess how the U.S. is handling EU privacy each year as a part of the Privacy Shield agreement. Szoka said that the European courts will never be able to determine whether the U.S. is protecting European data because the new assessment will be out before they can consider the old one.
“This is a nightmare,” Szoka said. He said that at some point more lawsuits will be filed that could challenge the concept of model contracts or Binding Corporate Rules, two other methods of allowing foreign corporations to handle data on European citizens. Szoka said that if the European courts invalidate those, the result could disrupt business between Europe and other nations.
“There’s enormous legal uncertainty,” he said.
The uncertainty is compounded by the fact that the European Commission, which is the executive branch of the European government, and the courts there are clearly on different sides of how the privacy issue needs to be handled. The EC, while recognizing that the demands for privacy in some parts of Europe are very strong, also recognizes the need for business to continue. The courts, on the other hand, don’t necessarily see it the same way.
“It’s coming down to how legally consistent the European Court of Justice is going to be,” Szoka said. He noted that the court is made up of justices from each member nation and the roster of judges changes regularly.
Szoka said that the EC may change its mind about how much of a nightmare the privacy issue has become, and will urge the court to accept things as they are once the negotiations are done. “It’s entirely possible that the court will say this is adequate,” he said.