Skepticism is rampant over the Privacy Shield deal's legality.
Europe’s privacy regulators are still poring over the new “Privacy Shield” agreement that will keep the transfers of people’s data from the EU to the U.S. legal. But they’re not yet satisfied with what they see.
That’s the message that came out of a Thursday hearing in the European Parliament’s civil liberties, justice, and home affairs committee. Many voices at the hearing predictably criticized the deal, such as Max Schrems — the activist whose complaint shot down the old Safe Harbor agreement and plunged the U.S. tech sector into panic over the possibility of losing access to European customers.
If the deal doesn’t go through, there’s a strong chance American companies will no longer be able to legally serve European customers if that requires using their data, and multinationals will struggle to legally process information about their European employees.
However, the EU regulators themselves—whose opinion is key to whether the deal goes through—also sounded unsure about whether Privacy Shield respects Europeans’ rights in the ways Safe Harbor did not.
Isabelle Falque-Pierrotin, the French privacy regulator who is spearheading her EU peers’ efforts, said the watchdogs had identified four key safeguards that Privacy Shield must provide: clear and comprehensible rules, assurances of proportionality in the way U.S. national security access Europeans’ data, independent control mechanisms for that access, and effective ways for Europeans to lodge complaints about how U.S. firms and agencies are treating their data.
Get Data Sheet, Fortune’s technology newsletter.
“We feel there is an absence of rules in the Privacy Shield [regarding] data retention,” Falque-Pierrotin said. She also said the regulators had not yet established whether the redress mechanisms in the deal are “really available to EU citizens.”
Falque-Pierrotin and the other regulators are due to give their definitive opinion in mid-April.
The proportionality issue is really about mass surveillance, which Europe’s top courts are gradually establishing is not proportionate at all, and therefore illegal. Falque-Pierrotin noted that more rulings on this subject are expected in the coming months, and this could have an effect on whether the Privacy Shield deal stays legal. After all, it does still allow a degree of mass surveillance by U.S. authorities, as long as that surveillance is for one of six national-security purposes.
What’s more, the EU is currently preparing to roll out new privacy rules. At the moment, the regulators can only assess the legality of the deal under the existing rules, which date back to 1995. As Falque-Pierrotin suggested, the answer may lie in reassessing it a couple of years down the line, which is not what what businesses looking for certainty will want to hear.
The view from the U.S. wasn’t terribly upbeat either. Marc Rotenberg, a Georgetown University professor and head of the Electronic Privacy Information Center, said Privacy Shield represents a “step backwards” for privacy principles.
Rotenberg particularly criticized the complexity of the redress mechanism described in the deal, which would see Europeans get new ways to complain in the U.S. But the process would take years to negotiate.
He said earlier Safe Harbor’s enforcement process was so complex that he was “hardly surprised” when it turned out the Federal Trade Commission had received a mere four complaints from the E.U. in 15 years.
For more on privacy and national security, watch:
“This process even more complicated—it adds the Commerce Department as an additional step,” Rotenberg said. “This is not what redress is.” He also said the supposedly independent complaint ombudsman that the U.S. is promising to create would not have any real authority.
Schrems, meanwhile, pointed out that companies could put tricky language in their terms and conditions that would effectively kill the protections that are supposed to come from Privacy Shield. This, he complained, would mean the deal doesn’t meet the requirements set out by European courts.
“I have no clue how the [European] Commission can ever argue that this is in compliance,” he said. “We need a system that provides real protection [and] we need legal stability for businesses.”