What to expect from Privacy Shield

While details of the new transatlantic data transfer pact known as Privacy Shield aren't expected until Monday, EU Ambassador David O’Sullivan told Passcode it contains the fundamentals to enhance privacy safeguards for Europeans.

After months of intense negotiations to craft a replacement for the transatlantic data transfer pact known as Safe Harbor, European Union officials are expected to release details of a replacement agreement Monday.

While the new version of Safe Harbor – known as Privacy Shield – will likely face intense scrutiny from privacy advocates and legal experts on both sides of the Atlantic, the EU ambassador to the US says he's confident the deal will contain the fundamentals needed to enhance privacy safeguards for Europeans.

"This hopefully gives us a very solid platform for protecting data sharing between the US and the EU," said Ambassador David O’Sullivan at an event hosted by Passcode in Washington on Friday. "This builds on the Safe Harbor. The basic principle is still the same."

In October, the EU's highest court struck down the 15 year-old Safe Harbor agreement that allowed US firms to certify they abided by EU laws for data transfers. The court's decision resulted from a case brought by Austrian privacy activist Max Schrems who argued Safe Harbor was no longer adequate due to US intelligence agencies' practices.

Earlier this month, EU officials announced several of the key components of the new agreement to replace Safe Harbor that the European Commission said "will provide stronger obligations on companies in the US to protect the personal data of Europeans."

For instance, said Ambassador O'Sullivan, the new framework will make it easier for Europeans to file complaints about potential privacy violations, ensures that regulators review the data transfer pact annually, and calls for the creation of a privacy ombudsperson.

"We’ve got a much clearer structure of complaint management," O’Sullivan said. "We’re able to be much more clear about how complaints can be managed by citizens themselves."

What's more, he said, Privacy Shield will allow EU citizens to lodge privacy complaints with companies directly, and failing that, seek out the EU Fair Trade Commission or an arbitration mechanism.

Earlier this week, the US enacted another mechanism to manage complaints, as President Obama signed the Judicial Redress Act. The law gives European citizens the right to sue if they feel their data has been misused by US law enforcement.

Monday's expected release of Privacy Shield will just be the beginning of the bureaucratic process of actually implementing the new data transfer agreement. National data protection authorities in Europe, the EU Parliament, and member states will have an opportunity to weigh in before the deal is finalized. 

Privacy advocates, including Mr. Schrems, may also mount legal challenges to Privacy Shield, said Amie Stepanovich, US policy manager at Access Now, who also participated in Friday's event. 

"Privacy Shield will inevitably face legal challenges. It's likely to be invalidated in the European courts unless the US makes legislative changes," said Ms. Stepanovich, who said that the pact may not be enough to safeguard European data without additional spy agency reforms in the US.

"We're disappointed that there isn't the surveillance reform needed to make Privacy Shield lasting," she said. With the current deal, she said, "the only thing we're agreeing on internationally is that governments are going to invade privacy."

Still, others on Friday's panel said the new pact was essential for ensuring some regularity when it comes to the movement of data across borders, which is vital for the biggest tech companies and also small and medium sized businesses.

"This isn't just a concern for tech companies or US companies. It's a global business and innovation concern," said panelist Josh Kallmer, senior vice president of Global Policy at Information Technology Industry Council, a trade association.

"Small businesses want to innovate and expand," he said. "Without certainty they're not likely to take risks."

Privacy Shield certainly won't end the ongoing debates over digital privacy matters in Europe, where the Edward Snowden disclosures sparked widespread backlash against both the US government and American tech companies over US surveillance practices.

Panelists Bruce Heiman, a partner at the law firm K&L Gates, which hosted Friday's panel discussion, said the European court's decision to invalidate Safe Harbor was a "political decision" aimed at the US government. And, unfortunately, "US companies were roadkill."