By Katie Bo Williams - 02/07/16 07:30 AM EST
European privacy regulators are putting U.S. surveillance practices under the microscope, this time with a crucial transatlantic data deal hanging in the balance.
Legal and privacy advocates say European nations are poised to strike down the deal if they decide the U.S. hasn't done enough to reform its spying programs.
The new test comes after the European Commission and the Commerce Department — after months of tense negotiations — reached a deal this week permitting Facebook, Google and thousands of other companies to continue legally handling Europeans’ personal data.
A working group of 28 EU nations’ data protection authorities — domestic entities separate from the Commission that will be in charge of enforcing the new agreement — may now cast the deciding vote.
The group is spending the next few months picking through the so-called Privacy Shield agreement to determine if it adequately protects the personal data of European citizens.
“The Commission has said, ‘We’re satisfied. We believe them. We believe the U.S. has substantially changed its practices,’ and they are no longer going off the [Edward] Snowden revelations in the media,” said Susan Foster, a privacy attorney at Mintz Levin who works in both the EU and the U.S.
“Whether the working group will go along with it is another question.”
The privacy advocate whose complaint against Facebook brought down the Privacy Shield’s 15-year-old predecessor agreement is already questioning the new deal’s validity.
“With all due respect ... a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit U.S. law allowing mass surveillance,” Max Schrems of Austria said in a statement Tuesday.
The United States has been fighting against the perception that it tramples on civil liberties after ex-National Security Agency contractor Edward Snowden revealed the breadth of the agency’s snooping.
One sticking point in the Privacy Shield negotiations was over the scope of an exception allowing surveillance for national security purposes.
In announcing the deal, Commission officials insisted that the U.S. had provided “detailed written assurances” that surveillance of Europeans’ data by intelligence agencies would be subject to appropriate limitations.
“The U.S. has clarified that they do not carry out indiscriminate surveillance of Europeans,” Andrus Ansip, Vice President for the Digital Single Market on the European Commission, said Tuesday.
The U.S. has also agreed to create an office in the State Department, to address complaints from EU citizens who feel their data has been inappropriately accessed by intelligence authorities.
Complicating the working group’s approval of the deal is the hodgepodge of competing regulators in Europe. Each nation has an agency in charge of its own country’s regulation. Some countries — such as Germany — are seen as tougher on privacy than others, like France or the U.K.
While some countries consider U.S. privacy protections to be satisfactory, in others they are seen as woefully inadequate.
Defenders of U.S. intelligence practices often point to France and the U.K., arguing they are equally intrusive with their citizens' data.
A recent public report “pretty clearly documented that the protections are patchy, vary hugely and are nonexistent in some of the countries,” Foster noted.
Privacy advocates dismiss those arguments.
“You cannot pick the worst member state, like the U.K., and claim you are ‘equivalent’ to that,” Schrems said Tuesday. “First, this is not a price [sic] you want to win, secondly you have to meet the standards of the European Court of Justice, EU law and the EU Charter of Fundamental Rights — not the standard of the worst member state.”
The U.S. has made significant reforms to federal spying powers under the Obama administration.
The Privacy and Civil Liberties Oversight Board — a small bipartisan watchdog — on Friday said the government has begun addressing each of the nearly two-dozen recommendations it made following Snowden's revelations.
“[I]mportant measures have been taken to enhance the protection of Americans’ privacy and civil liberties and to strengthen the transparency of the government’s surveillance efforts, without jeopardizing our counterterrorism efforts,” the five-member board said.
But whether European countries believe those changes are sufficient to sign off on the Privacy Shield is uncertain. Each of the EU’s 28 member states must approve the deal before it can be finalized.
“A lot of this is going to come down to whether the data protection authorities are persuaded by the U.S.’s portrayal of the cumulative protections given to European citizens and the cumulative carving back on the NSA surveillance programs,” Foster said.
If the European working group is not satisfied with the assurances from the Commerce Department, the consequences could be dire. Businesses fear a chilling of transatlantic trade, valued at $1 trillion in 2014.
The most likely outcome, experts say, would be a patchwork of country-to-country regulations that would make it extremely expensive for companies to comply.
Legislative changes in the U.S. seem unlikely. Congress is close to passing a privacy law considered crucial to getting seeing the Privacy Shield approved. But the bill — which gives EU citizens the right to sue in U.S. courts over the misuse of personal data — has sparked controversy on Capitol Hill.
Some lawmakers are expressing frustration that the EU has used the threat of enforcement action against U.S. companies to push Congress to make more concessions.
“It’s been hard enough to get the Judicial Redress Act passed — if they’re going to make more demands on Congress, there won’t be a lot of willing listeners here,” Sen. Chris Murphy (D-Conn.) told The Hill on Thursday.