Skip to Content

EU Regulators May Not Endorse Crucial U.S. Data Privacy Deal

509107847509107847
European flags fly at Berlaymont building in Brussels, Belgium, which houses the European Commission headquarters.Photograph by Getty Images

Next week Europe’s privacy regulators are going to say whether or not they like the “Privacy Shield” deal cooked up between the U.S. administration and the European Commission.

This agreement couldn’t be more important for U.S. online companies and multinationals, as it will give them a relatively easy way to keep on legally handling the personal data of European customers and employees—from names and birth dates to emails and files in cloud storage.

However, things aren’t looking good on that front. According to a “leak” from a German regulator, the data protection authorities are not going to give the Privacy Shield their seal of approval as politicians and businesses have been hoping.

Get Data Sheet, Fortune’s technology newsletter.

This adds yet more uncertainty to the outlook for U.S. firms, and could pave the way for some serious legal battles down the line.

Now that negotiations with the U.S. administration are over, the next step is for the European Commission to issue an “adequacy decision,” based on the Privacy Shield agreement, stating that European’s personal data will be handled fairly when exported to the U.S.

The last such adequacy decision, based on the EU-U.S. “Safe Harbor” agreement, got shot down in flames last year by the European Court of Justice, thanks to U.S. mass surveillance programs. The new one is supposed to uphold privacy rights for Europeans and limit U.S. state surveillance when it comes to their data.

However, last year’s ruling also empowered the EU privacy regulators to challenge or even suspend data transfers if they think Europeans’ data is at risk, regardless of what the Commission has agreed to. So, while the Commission doesn’t technically have to respect the wishes of the regulators when it makes its adequacy decision, not doing so could end up rendering the exercise pointless.

A quick bit of background: Uniquely among EU countries, Germany has a different data protection authority in each of its states. They all held a conference this week ahead of next week’s plenary session of the Article 29 Working Party (WP29), where all the national privacy regulators get together. This conference was about agreeing on a common position that the German representative will take along to the larger WP29 meeting.

On Friday, the authority from the state of Baden-Württemberg published a report of what went down at the German meeting, including what seemed to be snippets of text from the draft WP29 position, to be presented next week.

Those snippets read:

“Until these issues are addressed, the WP29 considers it is not in a position to reach an overall conclusion on the draft adequacy decision. It stresses that some of the clarifications and concerns—in particular relating to national security—may also impact the viability of the other transfer tools.”

“Therefore, the WP29 is not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection that is essentially equivalent to that in the EU.”

The document went on to suggest that, if the Commission decides to go ahead and set up the Privacy Shield without fixing the not-quite-specified problems (though we can guess) in the current text, the regulators are prepared to go back to the European Court of Justice.

If that scenario plays out, there’s arguably no point in U.S. companies signing up to the Privacy Shield register until the outlook is more certain, and they will essentially stay in legal limbo.

For more on privacy, watch:

A Commission source said the aim is still to establish the Privacy Shield in June, and the Commission has a policy of not commenting on leaks.

Now, the Baden-Württemberg regulator pulled the document from its website after it attracted attention (mainly thanks to privacy lawyer and blogger Carlo Piltz, who has now posted a copy online anyway). There is still a vague possibility that these snippets won’t make it into the final proclamation by the Article 29 Working Party next week.

However, it looks like this long-running, painful saga is nowhere close to being over. And without an easy way to stay legal in Europe, that puts U.S. companies in a very uncomfortable position.