DHS giving 'active defense' cyber tools to private sector, secretary says
Key EU opinion on data deal expected next week
A working group of Europe's privacy regulators is expected next week to hand down an opinion that could potentially kill a recent U.S.-EU data flow agreement.
The test comes after the European Commission and the Commerce Department - following months of tense negotiations - reached a deal permitting Facebook, Google and thousands of other companies to continue legally handling Europeans' personal data.
The working group of the EU nations' 28 data protection authorities (DPAs) - domestic entities separate from the Commission that will be in charge of enforcing the new agreement - has spent the last two months picking through the 128-page agreement.
Now, it is poised to announce whether it believes the so-called Privacy Shield sufficiently protects European citizens' rights. Its approval is considered key to the ultimate success of the agreement.
"The discussions are not over yet," Isabelle Falque-Pierrotin, chairwoman of the working party, told reporters on Tuesday. "We have expressed our points of possible concerns. We still are discussing with the American public authorities on these points. Then we'll see what we'll be able to say next week."
She declined to speculate on how the working group might finally come down.
"There's no point in rehearsing it all now," noted Christopher Graham, the U.K. Information Commissioner, speaking on the same panel.
Falque-Pierrotin did acknowledge that key to the group's approval of the Shield would be the independence of a privacy ombudsman created by the new agreement. If the deal proceeds, the State Department will create an office to address complaints over possible access of personal information by national intelligence authorities.
"I think it's a very interesting innovation. Independence is the key criteria of assessing the position of this person," Falque-Pierrotin said.
Falque-Pierrotin has previously expressed concerns with the scope of U.S. surveillance permitted underneath the new agreement.
Critics have long warned that unless the U.S. overhauls its privacy and national security laws, there is no legal framework that can stand up in European courts, where privacy is considered a fundamental right under the EU Charter.
In announcing the deal, Commission officials insisted that the U.S. had provided "detailed written assurances" that surveillance of Europeans' data by intelligence agencies would be subject to appropriate limitations.
"The U.S. has clarified that they do not carry out indiscriminate surveillance of Europeans," Andrus Ansip, Vice President for the Digital Single Market on the European Commission, said when the deal was announced.
Onlookers believe that the working group's approval will hinge on whether it is satisfied by the U.S.'s assurances.
"A lot of this is going to come down to whether the data protection authorities are persuaded by the U.S.'s portrayal of the cumulative protections given to European citizens and the cumulative carving back on the NSA surveillance programs," Susan Foster, a privacy attorney at Mintz Levin who works in both the EU and the U.S., told The Hill when the deal was announced.
If the European working group is not satisfied with the assurances from the Commerce Department, the consequences could be dire. Businesses fear a chilling of transatlantic trade, valued at $1 trillion in 2014.
The most likely outcome, experts say, would be a patchwork of country-to-country regulations that would make it extremely expensive for companies to comply.
Privacy officials noted Tuesday that even if the working party does approve the Privacy Shield, the pact must still clear other hurdles before it can be finalized by the two governments, including a resolution in European Parliament.
And even if the deal is finalized, the European high court will likely still weigh in on its validity. The Privacy Shield's predecessor, a 15-year-old framework known as Safe Harbor, was struck down when the court deemed that the U.S. could not be seen to adequately protect EU citizens' privacy because of its surveillance practices.
"That's a decision that remains with the Court of Justice," said Jacob Kohnstamm, chairman of the Dutch Data Protection Authority.