Despite its name, the EU-US Privacy Shield agreement announced this week has more to do with shielding U.S. companies from EU legal enforcement action than shielding EU users from privacy violations. And with many European privacy advocates predicting the agreement will fail to pass court scrutiny, the legal limbo over transfers of EU data to the United States could drag on.
Safe Harbor, the previous data transfer agreement, was struck down last October after an EU court ruled it violated European data protection rules. Two days after the deadline for crafting a replacement had passed, American and European negotiators announced a political agreement that would allow U.S. companies to continue to legally transfer personal information and data about European users and store it on U.S. servers.
The text of the agreement has not been published -- European privacy agencies have demanded more detail by the end of the month -- but negotiators said it includes stronger obligations on U.S. companies that handle European data.
U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission.
Again, details about those "robust obligations" have not been revealed.
While U.S. companies -- especially tech giants like Google, Microsoft, and Facebook, which rely heavily on the easy flow of data -- are primarily concerned with reestablishing a legal framework for data transfers, the real issue for Europeans is mass surveillance by government.
U.S. spying has been a contentious issue for European citizens ever since Edward Snowden revealed the extent of NSA surveillance -- and tech companies' compliance. But the agreement's negotiators claim to have established safeguards and transparency over government access to data.
For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access.
While the new agreement pays lip service to the idea of protecting personal data from surveillance, "it's a promise without any possible weight behind it," said Steve Hunt, an industry analyst with Hunt Business Intelligence. Such an agreement "would require policy and oversight that extends far beyond traditional government reach" and would be "so costly and difficult that it would be practically impossible."
Sign up for CIO Asia eNewsletters.