The European Union’s highest court struck down the 15-year-old “Safe Harbor” data-transfer pact in October. But on Tuesday the European Commission announced that it had brokered a new data-flow agreement with the United States. Known as the “Privacy Shield,” the revision is meant to address the court’s problems with the old arrangement. But critics are already beginning to emerge.
The broad goal of this type of agreement is to shuttle data from EU to U.S. data centers in a way that complies with EU privacy laws and protects data from all sorts of government surveillance. The Privacy Shield promises to impose stricter standards on how companies communicate with customers and handle their data and calls for increased enforcement from the U.S. Department of Commerce and Federal Trade Commission. These agencies will also be involved in conflict resolution if Europeans feel that their data is being mishandled.
At this point the Privacy Shield needs to be turned into a full draft proposal so it can be submitted for approval by the 28 nation states in the EU. U.S. agencies and businesses also need to figure out how they will comply with the changes.
The plan is already generating skepticism and criticism, though. On Wednesday a group of European privacy agencies asked for a number of clarifications about the new agreement, fearing that it doesn’t do enough to protect European citizens from surveillance by U.S. government agencies. Isabelle Falque-Pierrotin, chief of privacy in France and chair of an EU body of data protection authorities, told the New York Times, “We want to receive the documents to assess whether the E.U.-U.S. Privacy Shield can answer our concerns. ... We have to review the consequences of this arrangement.”
Others worry about whether the new agreement will be viable. Austrian privacy campaigner Max Schrems told Ars Technica, “If this case goes back to the ECJ [European Court of Justice]—which it very likely will do, if there is a new safe harbour that does not meet the test of the court—then it will fail again, and nobody wants that.”
For businesses, especially small businesses, the cost burden of reforming to meet the new agreement could be significant, costing hundreds of millions of dollars across various industries. And the European Commission didn’t attempt to downplay this fact. In its announcement the commission said that U.S. companies would have “robust obligations” if they want to serve EU customers. Allison Grande wrote on Law360 on Tuesday, “The increase in compliance obligations and legal exposure compared with the previous regime should make companies think twice about blindly signing on to the revamped deal.”
When a full Privacy Shield draft emerges in the next few weeks, there will be more for interests groups to pick apart. But privacy regulations are so contentious right now that even without a draft it only took a few hours for the controversy to heat up.