eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
The free flow of petabytes of data transmitted by the largest corporations and private citizens will continue across the Atlantic Ocean as the result of a new “safe harbor” agreement reached Feb. 2 between the United States and the European Union to protect data transfers between the United States and EU member nations.
The agreement replaces a 15-year-old pact that the EU’s highest court struck down in October 2015 because it failed to protect the data of European citizens from snooping by U.S. intelligence or police authorities.
Months of intense negotiations in Brussels, Belgium, the headquarters of the European Commission, finally yielded results a couple of days past the Jan. 31 deadline. The talks were closely watched by the world’s tech community because a failure to reach a timely agreement could conceivably have disrupted or at least complicated transatlantic data transfers.
Right now, EU negotiators are pleased that they got the concessions they wanted, which limit access to the private data of Europeans by U.S. intelligence agencies.
U.S. Commerce Department officials, meanwhile, seemed almost giddy with delight as they discussed the agreement’s terms at a press conference, especially since some of the world’s largest corporations—including Google, Facebook and Amazon.com—were holding their feet to the fire. But there is still a great deal of uncertainty about whether the current informal framework of the draft agreement will hold water long enough to go into effect.
U.S. concessions include guarantees, renewed annually, of privacy for the personal information of European citizens. These agreements would include limits on what U.S. companies can do with such data along with restrictions on the interception of data by the U.S. intelligence community as it flows between the two continents.
There are also a number of methods that Europeans can use to contest any attempts to gather data, including judicial redress, ombudsman positions at the U.S. Department of State, and monitoring by the Commerce Department and the Federal Trade Commission.
Unfortunately, there are also some stumbling blocks in the road to a final, signed agreement. The current negotiated framework must be turned into an actual written agreement that is acceptable to both sides. After the draft agreement is reviewed and revised, it will be turned into a final form, which must then be ratified by each of the EU member nations.
While the European Commission may think the agreement is solid, that doesn’t really matter. It will eventually be reviewed by European privacy agencies, of which each member nation has one. The EC has no authority over those agencies at all, and the privacy agencies can accept or reject the new agreement for their own reasons.
Complicating matters are the concepts of privacy in a Europe with fresh memories of world wars, dictatorships, police states, genocide and ethnic cleansing. As a result, the European view of privacy is far more extreme than it is the United States.
U.S., EU Agree on Privacy Shield to Maintain Transatlantic Data Flow
Furthermore, the U.S. has engendered profound mistrust among Europeans as a result of the revelations of former National Security Agency analyst Edward Snowden about U.S. intelligence agencies’ ability to intercept and analyze international communications. This means that this new safe harbor agreement is sure to get extremely close scrutiny by EU privacy authorities.
This lack of trust means it’s likely that there will be legal challenges that delay the ratification of a final agreement. In fact, at least one EU privacy advocate has reportedly filed a challenge, and more are reportedly on the way. But right now, the two governments are acting as if the Privacy Shield is a done deal, even though it might not be.
“This historic agreement is a major achievement for privacy and for businesses on both sides of the Atlantic. It provides certainty that will help grow the digital economy by ensuring that thousands of European and American businesses and millions of individuals can continue to access services online,” said Commerce Secretary Penny Pritzker, in a prepared statement.
The U.S. has apparently provided written assurances to the EU in regard to the privacy protections that the negotiators have agreed to. The new agreement has been hailed by U.S. companies, including Apple, Microsoft and Google, which have been worried that they could lose a significant portion of their European business.
However, that enthusiasm isn’t echoed in Europe, where privacy advocates are suggesting that even written assurances don’t have any real legal protection, since they suspect that the U.S. intelligence community will simply ignore any assurances that prove inconvenient.
Some U.S. groups are also expressing their doubts and suggesting that more needs to be done on the part of the United States. “In the wake of the Snowden disclosures, European citizens and policymakers are understandably concerned about privacy safeguards in U.S. law. But abruptly revoking the Safe Harbor agreement was the wrong way to address those concerns,” Daniel Castro, vice president of the Information Technology and Innovation Foundation, said in a statement.
“We are pleased that U.S. and European policymakers have resolved this issue and support the free flow of data between these two markets. We hope the new agreement signifies a line of thinking that will shape future EU policy decisions as well,” Castro said.
Castro noted that the U.S. and the EU still need to make significant privacy reforms, including the passage of the Judicial Redress Act and in Europe the limiting of such protectionist measures as the European Cloud and a realization of the global nature of the world’s digital markets.
For now, officials in the U.S. and Europe are mostly hoping that privacy advocates hold their fire long enough for the agreement to be approved in its final form, which could take several more months.