A deal between the United States and the European Union on transferring data is facing another obstacle, with a key group of regulators demanding changes to the agreement.
Businesses on both sides of the Atlantic are anxious for the so-called Privacy Shield to be put in place. The deal would allow tech companies such as Google and Facebook to legally handle European citizens’ data, with the rules also helping industries such as hospitality and retail.
If the Privacy Shield is not finalized, businesses fear a chilling of transatlantic trade, valued at $1 trillion in 2014.
“Something needs to get done. This no-man’s-land, this uncertainty, is creating a lot of global tension and impacting global business,” said Aaron Tantleff, a lawyer in the privacy and information management practice at Foley & Lardner LLP.
The European Commission and the Obama administration crafted the Privacy Shield after a previous agreement on data sharing was struck down by Europe’s high court over concerns about U.S. spying.
The new deal, which is only in draft form, underwent a review from a working group of 28 data protection authorities in Europe.
Their opinion, while non-binding, had been tensely awaited as a barometer of the deal’s viability in court, and came back decidedly mixed.
The group wrote that the current draft of the deal is a "major improvement" over the predecessor negotiated in 2000, but warned the draft still gives the U.S. too much leeway to carry out surveillance.
“The possibility that is left in the Shield for bulk collection which is massive and indiscriminate is not acceptable,” said Isabelle Falque-Pierrotin, chairwoman of the group of 28 data protection authorities.
The U.S. and the EU are under no obligation to change the agreement, but if they don’t, the matter could return again to Europe’s high court — with potentially ruinous results.
“If it’s robust enough to satisfy the working party, then it has a good chance of surviving scrutiny by the European Court of Justice,” Susan Foster, a privacy attorney at Mintz Levin who works in both the EU and the U.S., told The Hill.
If negotiators don’t adequately address the working party’s concerns, Tantleff said, “you’re almost guaranteeing court action.”
Some think it’s unlikely the Commission and the Commerce Department, which led the talks on the U.S. side, will return to the negotiating table. The Commission has already indicated that it will persevere with the deal as written.
“Following #WP29 opinion today, I will continue to work for EU-US #PrivacyShield in place by summer. Important for our citizens & business,” Andrus Ansip, Vice President for the Digital Single Market on the EU Commission, tweeted on Wednesday.
If Commerce and the Commission feel they have already reached the best deal feasible, Tantleff said, they might move forward without renegotiating.
“The Commission is free to do whatever it wants,” he said. “Given the pressure that currently exists with U.S. organizations and even in Europe, with organizations there trying to conduct business, my bet is that we’re going to see the Commission go forward with Privacy Shield.”
Others say none of the complaints raised by the working group are particularly damning. A few minor tweaks, those experts say, and the agreement could proceed.
“I think the criticisms are relatively contained and fairly mild,” said Alan Charles Raul, former associate counsel to the president and leader of Sidley Austin’s privacy and data security practice. “I think it could provide the basis for some refinements by the Commission and ultimate approval of the draft adequacy decision.”
The pressure from companies to finish the data pact has been fierce.
Tech and industry groups have long been behind the deal. Microsoft offered one of the first major commercial endorsements of the Privacy Shield this week.
“Given the crucial importance of transatlantic data flows to the global digital economy, the national data protection authorities should not try to hold the digital economy hostage to extract further tweaks to the agreement,” said Daniel Castro, vice president of the Information Technology and Innovation Foundation, a technology think tank.
But privacy advocates have fired back.
“Insane how industry lobbyists ignore all warnings and demand that #PrivacyShield is adopted. Later they'll complain about legal instability,” tweeted Max Schrems, an Austrian privacy activist.
Critics have long warned that unless the U.S. overhauls its privacy and national security laws, there is no legal framework that can stand up in European courts, where privacy is considered a fundamental right under the EU Charter.
The European Court of Justice, Europe’s high court, struck down the Privacy Shield’s predecessor over fears about American snooping. Over 4,000 companies had used the so-called Safe Harbor agreement to shuttle information across the Atlantic.
Schrems, who brought the original case against Facebook that brought down Safe Harbor, has already indicated that he will challenge the new Privacy Shield with the data protection authorities if he believes it inadequately protects the right to privacy in the EU.
That’s what makes the working party’s approval so vital, legal experts say: Their official opinion is an indicator of how well Privacy Shield will fare when it’s attacked.