Privacy Shield: Leaked Report Suggests EU Regulators Will Reject Proposed EU-US Data-Sharing Deal

A leaked report suggests that a group of European regulators is set to reject a data-sharing deal agreed to by EU and U.S. officials for the transfer of information across the Atlantic, leaving thousands of U.S. companies in limbo, including major technology companies like Google, Facebook and Twitter.

On Wednesday, the 28 European data protection commissioners charged with keeping their citizens' data safe will issue their opinion on Privacy Shield, the data-sharing deal announced in February, with the support of the Article 29 Working Party seen as crucial to the agreement being implemented.

The leaked report came from the German members of the Article 29 Working Party and says it “is not in a position to reach an overall conclusion on the draft adequacy decision.” The report goes on to say that, in particular, issues relating to national security matters could also affect “the viability of the other transfer tools” that companies use to transfer data between Europe and the U.S.

“The [Article 29 Working Party] is not yet in a position to confirm that the current draft adequacy decision does indeed ensure a level of protection that is essentially equivalent to that in the EU,” the leaked document says. However, sources speaking to Politico claim the most recent draft of the working group's decision does not have the same wording as the leaked document, though it broadly reflects the group's concerns.

When asked by International Business Times to comment on the leaked document, a spokesperson for Isabelle Falque-Pierrotin, the French data protection commissioner who leads the group, said the decision of the group “stays confidential until the end of the plenary session,” which takes place today and tomorrow in Brussels. The group is scheduled to hold a press conference Wednesday to announce its findings.

The leak comes at the same time as the Privacy Shield deal got the first backing of a major U.S. technology firm. “I’m pleased to announce today that Microsoft pledges to sign up for the Privacy Shield, and we will put in place new commitments to advance privacy as this instrument is implemented,” John Frank, Microsoft’s vice president of EU government affairs, blogged.

Last October, the European Court of Justice ruled that the 16-year-old Safe Harbor mechanism for transferring data — everything from your Facebook posts to employee payroll information — from Europe to the U.S. was invalid, claiming revelations by National Security Agency whistleblower Edward Snowden suggested European Union citizens’ data were not safe from mass surveillance by American authorities. Over 4,000 U.S. companies relied on Safe Harbor, meaning any uncertainly about the future of Privacy Shield will have a major impact.

“If the working party does not endorse the Privacy Shield and simultaneously states that organizations can no longer rely on some other the commonly used mechanisms for facilitating EU-U.S. data transfers, then it could have a significant impact on businesses” Kathryn Wynn, a data protection expert at the law firm Pinsent Masons, told IBT.

Among the issues thought to be of concern to the data protection commissioners is the role of an independent ombudsman within the U.S. government who will oversee data transfers and the six exceptions that allow the U.S. government to collect European citizen's data in bulk.

These are concerns shared by Privacy International, which stated in a report last week that Privacy Shield “does not significantly limit the ability of U.S. intelligence agencies to collect and use personal communications on a mass scale.” Privacy International additionally warned that the proposed ombudsman “lacks independence from the executive, as he/she is appointed by and reports to the secretary of state.”

As a result some U.S. companies are looking into the possibility of storing European data on the continent, and not transferring it to the U.S. To address this concern, cloud storage company Box today announced a deal with IBM to give enterprises the choice to store data regionally in Europe or Asia on the IBM Cloud. Box founder Aaron Levie said the move would help companies “overcome many of the data storage concerns faced by businesses in Europe and Asia.”

While this would work for a lot of U.S. companies, it is not a solution for major tech companies like Facebook and Google that rely on being able to aggregate all customer data to offer various products to consumers as well as helping sell targeted ads.

One of the major impacts of such a decision would see companies forced to store personal data in the EU and place major restrictions on its access by U.S. employees or U.S. businesses they transact with, Wynn said. “This would be expensive and restrictive in a way which could burden businesses.”

Privacy Shield emerged from eleventh-hour negotiations between EU and U.S. officials, but the deal came under fire from privacy advocates and lawyers who wanted more details on security and consumer protections. Following the announcement of the deal, the working party has been poring over the details, and for the mechanism to come into effect, it would need to issue what is known as an “adequacy decision.”

“There is one thing that is for sure: If these companies are using the former Safe Harbor framework, it is illegal because this has been clearly invalidated by the judge,” Falque-Pierrotin said in February, highlighting the fact that many companies are now in a state of limbo in relation to transatlantic data transfers.

While the European Commission can technically press ahead with Privacy Shield without the approval of the data protection commissioners, it would be a pointless exercise, as these officials have indicated a willingness to challenge any such action in the courts.