U.S.-EU data deal won't end cross-border data uncertainty
A final endorsement from the European Commission is likely this summer, but despite American clarifications, Europeans are likely to keep challenging U.S. data practices.
This summer, the European Commission may approve the Privacy Shield framework -- a replacement for the court-nixed Safe Harbor arrangement that had previously governed U.S.-EU data transfers – but the international uncertainty is unlikely to end.
That uncertainty threatens trillions of dollars in trans-Atlantic business. Europeans, whose court system recognizes such concepts as the "right to be forgotten," remain worried about the ways in which less-privacy-concerned Americans might use their data for commercial and intelligence purposes.
"It is clear that a model 21st century trade agreement cannot neglect the importance of the free flow of data to trade, investment, and business operations," U.S. Ambassador to the EU Anthony Gardner said in an address to the U.S. Chamber of Commerce in Belgium last month.
He aimed to allay European fears.
Since the Privacy Shield was initially hammered out in February, many European officials have weighed in, largely in non-binding capacities and largely to oppose the measure.
"[T]he Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the [European] Court [of Justice]," opined European Data Protection Supervisor Giovanni Buttarelli late last month.
That court struck down Safe Harbor over privacy concerns late last year.
Data Protection Authorities from across the EU, represented in the Article 29 Working Party, also expressed reservations about Privacy Shield's privacy protections and vague wording, while noting the framework was an improvement over Safe Harbor.
Responding to DPAs' concerns, U.S. Ambassador Gardner clarified that Privacy Shield protections will "flow with [individuals'] data" even as that data is transferred to third parties.
He also stressed the notification requirements and complaint avenues included in the framework.
"Under the Privacy Shield, an individual may bring a complaint directly to a Privacy Shield participant company, and the company must respond to the individual within a fixed period of time," Gardner said. "If an individual submits a complaint to a DPA in the EU, the [U.S.] Department of Commerce has committed to receive, review and undertake best efforts to facilitate resolution of the complaint and to respond to the DPA within a fixed period of time."
In the past few months, Congress passed – and President Barack Obama signed – the USA Freedom Act and the Judicial Redress Act, Gardner noted. The laws may give some comfort to privacy advocates.
Gardner also claimed American intelligence-gatherers are committed to as much transparency as possible – just look at the Tumblr account.
For some, the Privacy Shield seems like a solid framework.
"I think it's an improvement," U.S. Chamber of Commerce global regulation head Adam Schlosser told FCW. "It provides clarity. It's a step in the right direction."
The framework may not be perfect, but the alternative to a broad agreement are individual contract arrangements, the legal costs of which could keep smaller businesses from participating in trans-Atlantic markets.
The Privacy Shield still needs a final "adequacy decision" from the European Commission. Officials had initially expressed a hope to pen the decision by June, but Schlosser predicted it would come by July.
And then the real challenge will hit when the deal winds up in front of the court that killed its predecessor.
"Someone's going to bring a challenge to Privacy Shield," Schlosser said. "If not on hour one, then on day one."