US, EU face blowback on data deal

Getty Images

A proposed deal between the United States and the European Union that allows private companies to transfer data is coming under attack, effectively ensuring that U.S. firms operating in Europe will face protracted legal uncertainty.

Activists on Monday got their first look at the fine print of the Privacy Shield agreement and immediately erupted in protest. 

ADVERTISEMENT
“They tried to put 10 layers of lipstick on a pig, but I doubt [the European high court and privacy regulators] now suddenly want to cuddle with it,” tweeted Max Schrems, an Austrian privacy advocate.

The blowback is worrisome for the 4,000 U.S. firms that have been in legal limbo since October, when the European Court of Justice struck down a previous data-sharing deal over concerns with U.S. surveillance practices.

The agreement provides a simple way for U.S. companies to legally handle Europeans’ data, something that is done in industries ranging from hospitality to social media. It is considered critical to cross-Atlantic trade, which topped $1 trillion in 2014.

Although critics reserved judgment until the details of the new agreement were made public, the deal — if finalized — is expected to end up before Europe’s high court once again.

“Legal challenges were to be expected against the Privacy Shield almost regardless of what was in the text released today. That uncertainty is still there,” said Kendall Burman, a cybersecurity and data privacy counsel at Mayer Brown.

Business groups, eager to see the agreement come to fruition, applauded the draft document.

The negotiators of the deal have been quick to offer assurances that it satisfies the standards set by the high court’s ruling, claiming it “protects the fundamental rights of Europeans where their data is transferred to the United States and ensures legal certainty for businesses.”

But some privacy advocates — and European lawmakers — argue that the new draft is not viable because it still permits U.S. intelligence agencies to conduct “mass surveillance” of European citizens.

As part of the agreement, the U.S. agreed to provide “written assurances” at the Cabinet level that place limits on the government’s access to personal data for national security purposes.

A multi-page letter from Robert Litt, the general counsel of the Office of the Director of National Intelligence, said that the U.S. intelligence community “does not engage in indiscriminate surveillance of anyone, including ordinary European citizens.”

The European Commission has repeatedly backed up that assessment in its defense of the deal.

But in his letter, Litt described a carve-out in U.S. law that allows signals intelligence
collected in bulk to be used for six national security purposes, including “detecting certain activities of foreign powers” and counterterrorism efforts.

Privacy advocates immediately jumped on the description as proof that the agreement won’t stand up to court scrutiny.

“The U.S. openly confirms that it violates EU fundamental rights in at least six cases,” Schrems said Monday, calling claims that there is no mass surveillance a “charade” and “bluntly against the law.”

In an attempt to offer satisfactory oversight, the deal establishes an ombudsman within the State Department to address complaints from Europeans that U.S. intelligence agencies have inappropriately accessed their personal data.

Undersecretary of State Catherine Novelli, who also serves as senior coordinator for international information technology diplomacy, will fulfill the role, according to Secretary of State John KerryJohn KerryAn all-female ticket? Not in 2016 GOP senator calls for China to crack down on illegal opioid Obamas to live in home of former Clinton press secretary: report MORE’s letter.

“Under Secretary Novelli is independent from the U.S. intelligence community, and reports directly to me,” Kerry wrote.

But the new office has not satisfied critics, who argue Novelli lacks the appropriate authority to scrutinize intelligence practices and isn’t sufficiently independent from U.S. government. 

“Doubtful if ‘written assurances,’ ‘ombudsman’ and patchy judicial redress rights #PrivacyShield meet standards set by [EU high court],” tweeted European Parliament member Sophie in ‘t Veld.

Onlookers are not surprised that the Obama administration’s assurances were unsatisfactory to hard-line advocates.

“Privacy advocates will probably just not believe what the U.S. has to say about how its [privacy] protections work in practice, and they will no doubt attack any weaknesses in the laws itself,” said Susan Foster, a privacy attorney at Mintz Levin who works in both the EU and the U.S.

But it remains to be seen whether the United States’s assurances will be enough to satisfy the EU high court when a challenge to the deal inevitably ends up before the bench. The court will have to consider both the complaints of privacy advocates and the commission’s insistence that U.S. practices are consistent with EU privacy protections, Foster says.

“The court would be in a difficult position to say, ‘We don’t believe the U.S. and we are not going to give any weight to the fact that the commission believes the U.S.,’ ” Foster said.

Separately, a working group of Europe’s 28 privacy regulators is currently reviewing the draft text. 

If the group doesn’t offer its approval, negotiators will have to return to the drawing board. In the meantime, Germany’s watchdog is already preparing to fine three “large international companies” for relying on the old agreement.

Complicating the uncertainty for firms is that even if the deal is approved and withstands legal challenges, under the current draft, the privacy regulators in any of the 28 EU member states could still freeze transfers to the U.S. from their country.

Not only that, Privacy Shield calls for an annual review to ensure it is adequately adhering to EU law.

So although business groups are bullish about Monday’s draft, most consultants are still advising companies to put alternative mechanisms in place to ensure they can continue transferring data across the Atlantic.

“Not only won’t we have any certainty about Privacy Shield until there is a case that is challenged in the Court of Justice but also because the program calls for annual review,” Foster said. “Potentially every year it could go away.”