The European Commission on Monday published details of Privacy Shield, the new agreement to facilitate the transfer of business data between the EU and the U.S. The deal has been welcomed by tech giants like Microsoft, Facebook and Google for the legal certainty it provides for their web and cloud services, but privacy advocates say the mechanisms are simply not strong enough to protect European citizens' privacy. One notable critic likened the pact's many loopholes to “putting lipstick on a pig.”
Privacy Shield, a replacement for the Safe Harbor framework struck down by a European court last year, was agreed to earlier this month in late-night negotiations by officials from the U.S. and EU.
Central to the new deal are the “strong commitments” U.S. authorities gave that Privacy Shield will be strictly enforced and that there will be no “indiscriminate or mass surveillance by national security authorities.” However, the new details show that bulk collection of data will be allowed in six specific circumstances — including countering cyberespionage by foreign governments, counterterrorism, cybersecurity and detecting and countering threats to U.S. or allied armed forces.
Another key part of the deal is the creation of an ombudsman who will work within the Department of State but who will be “independent from national security services.” The ombudsman will deal with complaints from European citizens who claim their data is not being handled properly by U.S. companies. The ombudsman position will be initially filled by former Apple exec Catherine Novelli, currently an undersecretary of state.
For U.S. companies who were left in limbo after Safe Harbor expired, the details of Privacy Shield give them specifics to work with. Companies doing business across the U.S. and Europe must:
- resolve customer complaints within 45 days
- sign up to the Privacy Shield register to handle customer data in Europe
- self-certify on Privacy Shield register and meet Department of Commerce verification
- take responsibility for how third-party partners handle customer data
“Protecting personal data is my priority both inside the EU and internationally,” EC Commissioner Vera Jourová said Monday. “Privacy Shield [has], for the first time, written assurance from our U.S. partners on the limitations and safeguards regarding access to data by public authorities on national security grounds.”
Most major multinational companies will have the bulk of these mechanisms in place already, said U.S. Chamber of Commerce Policy Counsel Adam Schlosser, but smaller businesses will need to expend significant time and resources bringing their practices in line. If national data protection authorities (DPAs) dont ratify Privacy Shield, then it could all be for nothing. “The biggest concern is preparing for the changes while there is uncertainty of whether or not the DPAs are going to accept the changes,” Schlosser said. “Companies need to know that their time and effort is going to be rewarded.”
Austrian legal student Max Schrems is the reason the Safe Harbor deal, which provided a legal umbrella for the transfer of data across the Atlantic for 15 years, was ruled invalid. He filed a case against Facebook in a European court, claiming his data was inadequately protected on the company’s servers in the U.S.
— Max Schrems (@maxschrems) February 29, 2016
Privacy Shield is meant to “restore trust in transatlantic data flows,” but Schrems is not convinced.
“The EU and the U.S. tried to put about 10 layers of lipstick on a pig, but the core problems were obviously not solved,” Schrems said in a statement. The privacy advocate believes the new deal will not stand up to the scrutiny of the European Court of Justice, which struck down the original Safe Harbor agreement last October.
“The court has required the European Commission and the U.S. government to go an extra kilometer — the ‘Privacy Shield’ is an aggregation of a couple extra inches,” Scrhems said. “There are obviously some minor improvements, but this is far from what the court required.”
But the deal's details have been welcomed by officials on both sides of the Atlantic who worked around the clock to get it over the line as Safe Harbor's expiry approached earlier this month. “The EU-U.S. Privacy Shield is a tremendous victory for privacy, individuals and businesses on both sides of the Atlantic,” said Penny Pritzker, U.S. secretary of commerce, on publication of the details Monday.
The U.S. business community also supports the new deal. “Overall, I think it is a good thing for U.S. companies,” Schlosser, from the U.S. Chamber of Commerce, told International Business Times.
Several trade groups, including the Computer & Communications Industry Association (CCIA), which counts Microsoft, Facebook and Google as members, have also welcomed the deal. “The Privacy Shield will provide strong privacy safeguards, legal certainty for companies and enhances transatlantic trust,” said Christian Borggreen, international policy director for the CCIA, in a statement.