EU data protection regulators want details before celebrating the political deal.
Europe’s top politicians may be brandishing a deal with the U.S. on keeping data flowing over the Atlantic, but Europe’s privacy regulators want to see the details before giving their approval.
In fact, the EU’s data protection authorities said Wednesday that they’re still not sure whether any transfers of Europeans’ personal data to the U.S. are legal. They want to see the finished “Privacy Shield” agreement in full before they make that call.
Here’s why it’s worth paying attention to what they decide next month.
Rewind to last October, when the European Court of Justice (ECJ) struck down the Safe Harbor agreement that thousands of companies were using as the legal basis for transferring personal data from the EU to the U.S.
That decision was actually tangential to the court’s core ruling in a case involving an Austrian law student called Max Schrems, who couldn’t get Ireland’s data protection authority to investigate Facebook’s transfers of his data to the U.S. Schrems was worried about the National Security Agency after the Edward Snowden revelations, but the Irish watchdog refused to investigate because of the European Commission’s 2000 Safe Harbor decision, which set up a framework for EU-U.S. transfers.
Get Data Sheet, Fortune’s technology newsletter.
The ECJ’s main ruling in the case was that EU data protection authorities can investigate and potentially even suspend specific data transfers to a non-EU country if the transfers could be violating someone’s rights. That applies even if the European Commission (the EU’s executive body) has said transfers to the destination country are acceptable, the court ruled.
So the bloc’s privacy watchdogs have just had their independence reinforced. They can’t block the commission from setting up the new Privacy Shield scheme, but if they think it’s not really going to protect EU citizens, they can effectively remove the legal certainty the program is supposed to give U.S. tech firms operating in Europe.
Isabelle Falque-Pierrotin, the chair of both French privacy watchdog CNIL and the “Article 29 Working Party” (the loose grouping of all the EU’s data protection authorities), said this afternoon that the watchdogs had seen nothing substantial about the new Privacy Shield agreement. The commission asked them limited questions at the last minute and they received a U.S. delegation last week, but they haven’t seen the details they need.
In other words, they can’t tell yet if it’s a good deal, or just a sticking plaster that was rushed out because their deadline for agreeing on a Safe Harbor successor had passed.
For more on national security, watch:
Falque-Pierrotin said the commission must provide the full agreement, with all its legal wording in place, by the end of February. Then, in March, the regulators will decide whether any legal mechanism can legitimize personal-data transfers to the U.S.
That includes not only the Privacy Shield plan, but also the alternative mechanisms that companies can still use to keep transfers legal. The EU data protection authorities have spent the months since the Safe Harbor strike-down examining these mechanisms, to see whether they also expose Europeans to anti-privacy practices in the U.S.
These alternative mechanisms include “binding corporate rules,” for transfers within multinationals, and “model clauses,” for transfers between companies. They remain legal (at least until March), but many companies that used to rely on Safe Harbor won’t have had time to set them up, and may currently be breaking the law by passing personal data from the EU to the U.S.
Time is up on that front. The regulators’ end-of-January deadline has passed, and it is now up to individual regulators to decide whether they want to start cracking down.
So for the tech industry, Privacy Shield can’t come soon enough. But if its details don’t satisfy the regulators, the much-vaunted transatlantic political agreement won’t be worth much.