Representatives of the 28 states of the European Union approved the final version of the Privacy Shield agreement between the United States and the EU on July 8.
This is the final step before the agreement is formally adopted by the European Commission, which is expected to happen during the week of July 11. The Privacy Shield agreement is intended to protect the privacy of EU citizens as data about them flows between the EU and the U.S. and while that data is stored in the U.S.
The Privacy Shield replaces the former Safe Harbor agreement that was supposed to accomplish the same thing. But documents leaked by former National Security Agency analyst Edward Snowden showed that the Safe Harbor agreement was frequently ignored by the intelligence agency and that companies didn’t always deliver on their promises of privacy following their self-certification. The Privacy Shield requires written assurances by the U.S. that it will respect European privacy laws for data stored in the U.S.
However, a number of privacy advocates in the EU have threatened to take the agreement to court, claiming that it doesn’t go far enough in protecting the privacy of EU citizens. In addition, if the United Kingdom abides by the results of a recent referendum and pulls out of the EU, it’s possible that the UK and U.S. would have to negotiate a separate privacy agreement.
Negotiators reached initial agreement on the Privacy Shield framework on Feb. 2. The proposed agreement went through the review process required in the EU, first by national data protection authorities, then by the EU’s Data Protection Supervisor, both of which expressed reservations. However, neither has the authority to block the deal.
The EU parliament approved the Privacy Shield in May, which allowed the agreement to move along to final approval by the 28 member nations.
Once the agreement receives formal approval by the European Commission, the agreement will be in force. The U.S. Congress has already passed its enabling legislation in the form of the Judicial Redress Act, which gives EU citizens privacy rights similar to U.S. citizens.
The Privacy Shield agreement is critical to enable the free flow of information between the U.S. and the EU. This data may include anything ranging from employee payroll data of companies with operations on both sides of the Atlantic to financial data used by banks and credit card companies.
Equally important, especially to European privacy advocates, is the data collected by U.S.-based Internet services such as Facebook and Google, both of which have faced criticism in Europe. Google’s situation is under particular scrutiny, with European moves to require it to allow people to be forgotten.
European Member States Approve Privacy Shield Agreement
Other areas of criticism include targeted advertising such as those annoying ads from Google long after you’ve either purchased something or decided you aren’t going to.
For most companies, the Privacy Shield agreement is an important step in their efforts to conduct business outside of either the U.S. or the EU. Without it, companies had to have a contractual agreement that provided similar protections or any data transfer had to take place within a company or between a company and its subsidiaries. It’s now even more important because of efforts in Europe to invalidate such contractual agreements.
European leaders are expressing their support for the agreement. European Commission Vice President Andrus Ansip and Justice Commissioner Vera Jourova issued a joint statement that noted, “It is fundamentally different from the old ‘Safe Harbour’: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.”
They also noted that for the first time, “the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data.”
Once the agreement gains final approval and is fully implemented, the next steps for both governments are to make sure that it’s actually honored. In the U.S., at least, there has been a strong temptation to circumvent any impediment to gathering information, regardless of whether it’s protected by treaty or statute.
While the most visible example of the tendency to ignore privacy rights emerged when Snowden started releasing documents, this is by no means limited to activities of the U.S. government.
In fact, businesses, including Google and social media companies such as Facebook, routinely gather as much information as they can, wherever they can, for their own uses. Those uses include everything from using photos of people so they can be tagged on Facebook to the previously mentioned sales of advertisements on Google. Now the real challenge will be to see if those companies can resist the temptation to ignore the Privacy Shield and respect the privacy rights of Europeans.
And who knows, maybe they can also respect similar rights for people in the U.S., and at least make it possible to opt out of those ads that users of the Internet find so annoying. I was reminded of that while working on this story while trying to get past a seemingly unlimited number of ads for a Toyota pickup truck that I once looked at in an ad months ago. Maybe the Europeans are on to something here.