The tech world won’t be getting out of data limbo anytime soon.
Europe’s privacy watchdogs pushed back against a new EU-U.S. deal on data protection on Wednesday, injecting further uncertainty into how businesses will be able to handle the flow of data, from family photos to bank details, across the Atlantic.
Data authorities from the EU’s 28 member countries asked the European Commission and U.S. Department of Commerce to change several elements of the “privacy shield,” which they had agreed in February after its predecessor, “safe harbor,” was struck down by the European Court of Justice late last year on privacy concerns.
Their reservations about parts of the new transfer deal, including U.S. intelligence agencies’ bulk collection of data for criminal and national security investigations, underscore the fact that there are likely to be legal challenges to the privacy shield as well.
“Given the negative opinion, a challenge to the privacy shield at the courts is even more promising,” Max Schrems, the Austrian privacy campaigner who originated the complaint against safe harbor, said in a statement. “Privacy shield is a total failure, that is kept alive because of extensive pressure by the U.S. government and some sectors of the industry,”
Under safe harbor, which lasted 15 years, more than 4,000 American companies — including firms like Facebook — were able to self-certify their adherence to the EU’s privacy requirements when transferring their European customers’ data to the U.S.
After a two-day meeting in Brussels, key representatives of the EU data protection authorities grouped in the so-called Article 29 Working Party said “negotiations on the shield are not finished” — and made clear they hope their criticisms will be heard.
Their findings are not binding, but the panel has influence. Its members are charged with investigating complaints about privacy violations and can suspend data transfers they believe break EU law. If the Commission ignores the authorities’ findings, it could undermine the EU executive’s position should the privacy shield be challenged in court like its predecessor.
The European Commission, which wants the privacy shield up and running by June, now has to choose between modifying parts of the plan as requested by the authorities, or digging their heels in — at the risk of further legal challenges.
‘Back to the drawing board’
Justice Commissioner Věra Jourová said in a statement that the data protection authorities had a number of useful recommendations and “the Commission will work to swiftly include them in its final decision.”
However, some are skeptical about any potential changes.
“I personally doubt the European Commission will change its plans much. There will be some political wording, but I think they will still push it through,” said Schrems.
Experts say the Americans are unlikely to reopen the areas of the deal to which the EU privacy bodies objected.
“The Working Party is basically sending the European Commission back to the drawing board on essential elements of the privacy shield,” said Wim Nauwelaerts, managing partner at the law firm Hunton & Williams in Brussels. “The U.S. authorities will probably not be keen to re-open negotiations on those elements. Even if they do, it looks unlikely that the shield will be up and running early June, as initially projected by the Commission.”
If Europeans’ confidence in safe harbor was undermined by the revelations of mass U.S. surveillance by former National Security Agency contractor Edward Snowden, then the terror attacks in Paris and Brussels were an invitation to “collect ever more data on a massive and indiscriminate scale in light of the fight against terrorism,” said Isabelle Falque-Pierrotin, who chairs the Article 29 Working Party, at a press conference Wednesday.
The EU privacy watchdogs are worried about the independence of a U.S.-appointed ombudsman who will investigate privacy complaints by Europeans, and want assurances that bulk data collection won’t be “massive and indiscriminate.” They are also demanding a review of the whole framework in two years to check compliance with a new EU general data protection regime, which will be in place by then.
One member of the U.S. Federal Trade Commission, Maureen Ohlhausen, said the privacy shield was an attempt to improve upon safe harbor, which was “not that easy for Europeans to use.”
A tech industry source, arguing that “lots of companies, startups and SMEs need to have some streamlined way to transfer data across the Atlantic,” said the privacy panel’s verdict “wasn’t a tearing up of the paper.”
The source said that, as a stopgap measure, companies could continue to use alternative frameworks for data transfers which they switched to after the European court struck down safe harbor. Known as “binding corporate rules” and “model clauses,” these are frequently used to by companies to transfer corporate and customer data.
Falque-Pierrotin said there was “nothing changed” for these alternatives — pending a final decision by the Commission.
For Nauwelaerts at Hunton & Williams, however, the privacy panel’s decision to withhold its assessment of these alternative tools pending that final decision means that legal uncertainty now weighs on all options for transatlantic data transfers.
“As a result of this, many businesses will find themselves between a rock and hard place,” said the lawyer.
Joanna Plucinska contributed to this story.
This story was updated to add a link to the DPA verdict.