According to Schoch, the real reasons for the invalidation of the Safe Harbor agreement are also in doubt. The reason that's been given was the revelations about pervasive data surveillance from former National Security Agency analyst Edward Snowden. But Schoch says an even more critical reason is the legal battle waged by the U.S. Department of Justice to get access to data belonging to a European citizen from a Microsoft server in Ireland.
Worse, she said, European privacy officials don't think some American companies are protecting data on European citizens the way they are supposed to under current law.
Under the Safe Harbor agreement, U.S. companies could certify themselves as meeting European standards of privacy, but many aren't actually following those rules according to European assertions. "The Europeans were really ticked off that companies that were supposed to be self-certified didn't change their activities," she said.
While the draft of the Privacy Shield agreement will show up eventually, the problems of ensuring data transfer privacy are only going to get worse, said Berin Szoka, president of TechFreedom, a nonprofit think tank devoted to promoting technology that "improves the human condition."
"This new Privacy Shield is not going to stand up in court," Szoka said. "It's a pretense that this is a solution. It's political fiction.
"Even once the text comes out, the game that the EC is playing is that they're going to keep moving the ball with a new assessment," he said. The European Commission will assess how the U.S. is handling EU privacy each year as a part of the Privacy Shield agreement. Szoka said that the European courts will never be able to determine whether the U.S. is protecting European data because the new assessment will be out before they can consider the old one.
"This is a nightmare," Szoka said. He said that at some point more lawsuits will be filed that could challenge the concept of model contracts or Binding Corporate Rules, two other methods of allowing foreign corporations to handle data on European citizens. Szoka said that if the European courts invalidate those, the result could disrupt business between Europe and other nations.
"There's enormous legal uncertainty," he said.
The uncertainty is compounded by the fact that the European Commission, which is the executive branch of the European government, and the courts there are clearly on different sides of how the privacy issue needs to be handled. The EC, while recognizing that the demands for privacy in some parts of Europe are very strong, also recognizes the need for business to continue. The courts, on the other hand, don't necessarily see it the same way.
"It's coming down to how legally consistent the European Court of Justice is going to be," Szoka said. He noted that the court is made up of justices from each member nation and the roster of judges changes regularly.
Szoka said that the EC may change its mind about how much of a nightmare the privacy issue has become, and will urge the court to accept things as they are once the negotiations are done. "It's entirely possible that the court will say this is adequate," he said.