The United States and the European Union have reached an eleventh-hour agreement that will permit Facebook, Google and thousands of other companies to continue handling Europeans’ personal data.
Both Commerce Department and European Commission leaders insisted the new legal framework — which replaces a recently-invalidated agreement known as Safe Harbor — will stand up to court scrutiny.
“There will be complainants and new court rulings, but I am pretty confident this will stand,” Justice Commissioner Vera Jourova said in a press conference unveiling the pact.
The European high court struck down the original arrangement in October, claiming that the U.S. could not be seen to adequately protect privacy thanks to its mass surveillance practices. The two sides had been rushing to craft a replacement, with Europe’s data privacy regulators vowing to begin enforcement action this week.
Supporters say the new deal, known as the EU-U.S. Privacy Shield, will prevent a potentially catastrophic disruption to transatlantic trade by providing regulatory certainty to the over 4,000 firms that had relied on Safe Harbor.
“Today’s economy is online and it runs on data, and so the biggest winners here are the EU and U.S. economies,” Information Technology Industry Council President Dean Garfield said in a statement. “We congratulate European and American negotiators for their efforts to work through these complex issues and reach an agreement that is essential to innovation, job creation, and economic growth.”
But onlookers have long been skeptical that a replacement agreement will satisfy the high court’s ruling.
“We have to be absolutely sure that this stands in court. I want to be reassured, but I am not reassured yet,” European Parliament member Sophie in 't Veld said yesterday.
The key sticking point was whether the U.S. could adequately reassure European privacy regulators that citizens’ data would not be subject to “indiscriminate surveillance” by intelligence agencies. Andrus Ansip, Vice President for the Digital Single Market on the European Commission, insisted Tuesday that the Commission was satisfied the agreement met that condition.
“The U.S. has clarified that they do not carry out indiscriminate surveillance of Europeans,” Ansip said Tuesday.
He cited “detailed written assurances by U.S. on the safeguards and limitations by surveillance” in the new agreement.
U.S. officials said Tuesday that the Privacy Shield will still contain an exception for national security purposes, once characterized as a key roadblock in negotiations.
The new deal puts in place a redress scheme whereby EU citizens who feel their data has been mishandled can seek remedy via the Department of Commerce and the Federal Trade Commission — a core requirement of the high court’s ruling. The State Department will also create an ombudsman, whose office will address complaints on possible access by national intelligence authorities.
The arrangement also includes an annual review process that Jourova insisted would allow for real-time adjustments to the framework.
"The negotiations were structured around the [EU high court] case so that we could make sure we addressed the various provisions as delineated in the opinion," Commerce Secretary Penny PritzkerPenny Sue PritzkerThe Hill's Morning Report - Sanders steamrolls to South Carolina primary, Super Tuesday Biden's new campaign ad features Obama speech praising him Obama Commerce secretary backs Biden's 2020 bid MORE said on a call with reporters announcing the new framework.
Although the agreement is not subject to congressional approval in the U.S., the new deal must still receive approval from the 28 EU member states. Several EU Parliament members as recently as yesterday expressed deep skepticism that any replacement would be sufficiently robust.
“If this does not comply with the laws, then we can be sure that tomorrow, Max Schrems, a very active European citizen, plus another thousand of his friends are going to go to court,” in ’t Veld said yesterday, referring to the privacy advocate who effectively brought down Safe Harbor by lodging a privacy complaint with Ireland’s privacy regulator.
Jourova estimated Tuesday that the new mechanisms would be in place within three months.
--This post was updated at 12:16 p.m.