Can EU-US data pact survive without surveillance reform?
While American and European negotiators reached a deal to replace the invalidated Safe Harbor data transfer agreement, the agreement may not be strong enough to satisfy European privacy advocates concerns about US spy agency snooping.
European Union and US officials this week reached a tensely anticipated agreement that staved off disrupting transatlantic data traffic between European and American firms. But the hard part now is figuring out how to sustain the pact without additional reforms of US surveillance practices in Washington.
After the European Court of Justice ruled last fall to invalidate an EU-US data transfer deal known as Safe Harbor over concerns about US spy agency surveillance, policymakers, tech companies, and data regulators on both sides of the Atlantic scrambled to reach an agreement that would satisfy European data protection agencies.
On Tuesday, the deadline European regulators set for a new agreement, the European Commission announced the so-called Privacy Shield agreement would replace Safe Harbor and govern how American companies handle personal data belonging to EU residents. The agreement is meant to ensure that US firms handle Europeans' data in way that's consistent with, and enforceable under, EU privacy laws.
Specific details of the agreement have not yet been released. But the pact is expected to introduce new compliance requirements for US companies and mechanisms for European residents to seek redress for perceived privacy violations by American firms.
What remains unclear, however, is whether the pact can sustain legal challenges in the EU such as the one raised by Max Schrems, the Austrian privacy activist who brought the case that eventually overturned Safe Harbor. Mr. Schrems successfully argued that Facebook’s practice of storing European data on servers based in the US and elsewhere violated EU data regulations.
The case highlighted widespread data privacy concerns that exist in the EU, stemming from Edward Snowden’s disclosures in 2013, of US government surveillance practices. And even though the Snowden disclosures ushered in some surveillance reform in the US, such as ending the National Security Agency's mass collection of phone metadata, many European privacy advocates are seeking additional reforms to further safeguard Europeans' data from being obtained by government agencies.
"I expect a cloud of uncertainty to hang over [Privacy Shield] until any challenges are addressed by the Court of Justice,” said Daniel Castro, vice president at Information Technology and Innovation Foundation.
The question is how businesses will react to that uncertainty, he said. "I expect that some businesses may try to provide additional confidence by opening European data centers," Mr. Castro said. “Unfortunately, because this is less efficient, these types of changes will ultimately result in higher costs for customers."
As currently written, the US Foreign Intelligence Surveillance Act (FISA) gives Washington the authority under certain circumstances to compel American firms to disclose foreign data in their possession, for counter-terrorism related purposes. Experts say the Privacy Shield agreement could deter overboard use of FISA authorities and introduce new visibility into the processes used by US companies for storing and handling personal data belonging to EU nationals.
The deal would introduce the idea of "essential equivalence" between how privacy laws are interpreted and applied in the EU and in the US, said Chris Calabrese, vice president for policy at the Center for Democracy and Technology, a tech advocacy group in Washington.
But it does not eliminate the government’s authority to force American firms to disclose data under the aegis of counter-terrorism. And that could be a problem from the EU Court of Justice’s point of view, said Mr. Calabrese.
"The fact of the matter is that US companies are in a terribly unfair position here," he said. "They have no choice but to comply with US surveillance law and they have no ability to change their practices to meet those requirements."
It’s hard to predict how the Court of Justice will view Privacy Shield without FISA reform, he said. But without that, said Calabrese, it is hard to see how any change to Safe Harbor can overcome the concerns that led to last October’s decision by the court.
If approved by EU member states and the respective data protection authorities, Privacy Shield will replace the previous Safe Harbor agreement that some 4,500 US companies had relied on for 15 years to show compliance with EU requirements. The deal will require a commitment from the US that EU personal data will be safe from generalized access by the government. It would also create a new process for the US Department of Commerce and the Federal Trade Commission to monitor and enforce that commitment and it would require the appointment of an Ombudsman to mediate disputes.
"For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms," Vera Jourova, commissioner of the European Commission, said in a statement.
From the standpoint of many in the tech industry, the deal is both a victory and a relief.
Victoria Espinel, president the tech industry trade group The Software Alliance, said the deal is the outcome of intense, months-long negotiations between officials at the US Department of Commerce and the EC. She said it reflects a pragmatic understanding, on both sides of the Atlantic, of the need to find a mutually acceptable way to sustain the estimated half trillion dollars trade relationship that had been enabled by Safe Harbor.
"Both the US and EU negotiators were constantly aware of the concerns that were raised by the court," said Ms. Espinel, who was in Davos in the days before the agreement representing software industry interests. "They very much bore those in mind throughout the last phase of the negotiations."
Espinel said the new pact would introduce some stability and predictability into a situation where US companies might otherwise have been subjected to varying privacy requirements from individual EU member nations, said Espinel. "One of the concerns we had was being in a situation where our member companies would have to deal with a patchwork of privacy regulations.”