European regulators voiced their reservations about a major data protection agreement that would affect several of the largest US technology companies at a press conference in Brussels today. The proposed “Privacy Shield” agreement would theoretically provide a legal framework governing how U.S. companies could transfer and store private data on EU citizens.
The statements were made by Isabelle Falque-Pierrotin {pictured above), chairperson of the Article 29 Working Party, a consortium of national privacy watchdogs in Europe. Falque-Pierrotin said the proposed agreement failed to provide protections for European consumers equivalent to what is required under EU (European Union) regulations. In particular, she said that in its current form the agreement did not provide adequate protection from bulk surveillance by US spy agencies.
EU Members To Withhold Support
The comments will most likely mean that no agreement will be possible in the short term, at least until those issues are ironed out. Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC), told us Falque-Pierrotin’s statement means more changes to the agreement are coming.
“President Falque-Pierrotin made clear that there must be continued negotiations and further changes before the privacy officials could express support for the text of the agreement,” Rotenberg told us in an e-mail. “The practical consequence is that the EU member nations will likely withhold support for the arrangement until these necessary changes are made.”
The Privacy Shield was designed to replace the previous agreement between the EU and the U.S. on how enterprises handle citizens’ personal information, known as the “Safe Harbor” agreement. That framework was invalidated last year when European courts found that it failed to provide adequate protection for EU citizens.
Falque-Pierrotin said the Privacy Shield represented a major step in the right direction compared to the Safe Harbor agreement. Nevertheless, more work on the deal remains to be done if it is to offer European citizens the same protections afforded to them by EU regulations, she said.
But according to Jens-Henrik Jeppesen, director of European Affairs for the Center for Democracy and Technology, any changes are likely to be minor. “Whatever the Privacy Shield ends up looking like, it won’t address the main issue,” Jeppesen told us.
The biggest sticking points for EU regulators are the concerns regarding bulk data collection and surveillance by U.S. spy agencies, he said. “That requires legislative reform,” Jeppesen noted. Even if the U.S. administration is willing to curtail the powers of its surveillance agencies, it would still have to somehow push that legislation through a recalcitrant Congress, he added.
Legal Limbo
The chairperson’s statements are not legally binding, and only the European Commission has the power to decide on whether to ratify the Privacy Shield. But the Article 29 Working Party represents the opinions of the data protection authorities in many European countries, and the objections voiced by Falque-Pierrotin likely reflect the viewpoint of at least a majority of those authorities.
That’s important because national data protection authorities will have the power to fine companies up to 4 percent of their global revenues if they think the privacy of their citizens has been invaded. That could leave many of the largest U.S. tech companies, such as Google and Facebook, in legal limbo when it comes to storing customer data.
Rotenberg said Falque-Pierrotin’s statement helps legitimize EPIC’s efforts to strengthen consumer protections. “The Article 29 Working Party has added legal force to the concerns raised by consumer groups, EPIC and others that the so-called ‘Privacy Shield’ fails to provide adequate protection for the transfer of personal information,” he told us.
The U.S. government and many U.S. companies still do not appreciate the gravity of the situation, according to Jarad Carleton, principal consultant with Frost & Sullivan.
“A lot of member states are exceedingly displeased with the lack of transparent democracy in EU government based in Brussels,” Carleton told us in an e-mail. “It will not be a surprise to me if a Privacy Shield agreement that is viewed as weak gets EU member-state data protection authorities up in arms and leads to new lawsuits” similar to the one that invalidated the Safe Harbor agreement in October, he said.
The inability for U.S. companies to grasp the importance of the issue could lead to months, if not years of legal limbo for them. “In conversations at a security conference in Munich last October, one comment still rings in my ears ‘the Americans aren’t taking this seriously and we suspect it will take them two years before they understand we are serious about privacy,'” Carleton said.