Safe Harbor 2.0 Dealdine Looms
A case brought against Facebook by Austrian data activist Max Schrems, shown here talking to the media in 2015, led to the European Court of Justice striking down the Safe Harbor agreement. Reuters

The new proposal that U.S. and European Union officials hope will replace the Safe Harbor provision has only created more questions on the state of international data transfers, a panel of top legal officials said Wednesday. The deal, known as the “Privacy Shield,­” still has to pass through a number of legislative hurdles and may take months to enact, if it’s enacted at all.

International corporations, and particularly U.S. technology companies, have been working in a legal gray area since the European Court of Justice ruled in October that the Safe Harbor agreement was invalid. The agreement, signed in 2000, made it possible for U.S. companies to extract data on European customers under a single provision rather than adhere to the privacy laws in each of the countries in the European Union.

U.S. and EU officials announced Tuesday they’ve agreed to the framework of a new deal, though the specifics remain unclear.

“Nothing really changed between yesterday and today,” said Chris Gallagher, senior vice president at Special Counsel, a legal staffing company that operates in 70 countries, and National Director of eQ, the company’s eDiscovery arm. “This was really a play to get the data privacy folks in the EU to give the U.S. more time before enforcement. All it did was extend the gray area we’ve been in for the last month for another two or three months and into early April at the earliest.”

Gallagher spoke Wednesday on a panel at the LegalTech trade show in New York City, where he was joined by Brian Corbin, vice president and assistant general counsel at JPMorgan Chase, and Kenneth Rashbaum, a partner at Barton LLP, who specializes in privacy and cybersecurity. Each participant agreed that the Privacy Shield raises more questions than answers at this point.

The date of implementation, what to expect from the EU approval process, the possible arbitration costs shouldered by U.S. companies and how much power will be given to the U.S. ombudsman overseeing European data complaints are all unclear.

“Business decisions now need to be made with privacy considerations upfront instead of in a reactionary way,” Corbin said, adding that the threat of a devastating data breach will likely convince companies to increase security. “It’s important to consider why this process is happening. Privacy is viewed as a fundamental human right in the EU, much like we might view free speech in the U.S.”

Safe Harbor was invalidated nearly four months ago, after Austrian privacy activist Max Schrems filed suit against Facebook. Schrems, citing the U.S. National Security Agency’s mass surveillance programs, argued that Facebook could not guarantee that his data was protected when it entered the U.S. New stipulations laid out under the Privacy Shield agreement say U.S. police and intelligence agencies seeking access to Europeans’ data will be subject to “clear limitations, safeguards and oversight mechanisms.”

“This is happening to a great extent because of historical considerations,” said Rashbaum. “Some of the countries with the strongest data protection were also under authoritarian regimes. You may have a harder time extracting data from Germany, France and Italy than a place like Ireland.”