New transatlantic data deal draws fire from privacy advocates

A new transatlantic data transfer deal will establish a last-resort arbitration panel to resolve complaints by individuals that U.S. companies have mishandled their data — but will not allow EU citizens to claim financial damages.


A draft text of the so-called Privacy Shield released early Monday also creates an ombudsman within the State Department to address complaints from Europeans that U.S. intelligence agencies have inappropriately accessed their personal data.

The agreement, which has yet to be approved by the 28 EU member states, replaces a 2000 pact that allowed over 4,000 U.S. companies to legally handle European citizens’ data.

It was struck down by the European high court in October over privacy concerns, prompting a scramble from the U.S. and the European Commission to avoid a shutdown of transatlantic data transfers.

Both of the new redress mechanisms are already being portrayed as relatively weak by privacy advocates in the EU.

“Doubtful if ‘written assurances,’ ‘ombudsman’ and patchy judicial redress rights #PrivacyShield meet standards set by [EU high court],” tweeted European Parliament member Sophie in ‘t Veld.

Individuals who believe a company has mishandled their data must exhaust three separate mechanisms as a means of redress before they have access to the arbitration panel.

The panel can make binding decisions against U.S. companies, but the redress it can offer citizens must be “non-monetary” — meaning its authority is limited to correcting, returning or deleting the disputed personal data.

“These are the only powers of the arbitration panel with respect to remedies,” the text states. “No damages, costs, fees, or other remedies are available.”

The text of the new arrangement reveals a number of other updates to the original deal, including one section which is being interpreted to allow EU privacy regulators to unilaterally freeze transfers to the U.S. from their country.

“This means basically that there is no legal certainty for businesses that a ‘Privacy Shield’ certification ensures continuous data flows. Any national [data protection authority] can simply pull the plug under this system,” said Max Schrems, the privacy activist whose original complaint sunk the 2000 agreement.

Schrems argued in a Monday statement that the new deal will not withstand court scrutiny — nor will it get the approval of individual European privacy regulators, who are in the process of reviewing the text.

“They tried to put ten layers of lipstick on a pig, but I doubt the Court and the [data protection authority regulators] now suddenly want to cuddle with it,” Schrems said.