Microsoft (MSFT) has given the thumbs-up to the new “Privacy Shield” agreement that will let U.S. firms import and use the personal data (such as emails and files) of European Union citizens.
That makes Microsoft the first big company to throw its weight behind the pact, which hasn’t been launched yet—the negotiations between the EU and U.S. are done, but the European Commission hasn’t yet issued the “adequacy decision” that will set it in motion. The agreement’s predecessor, Safe Harbor, was struck down because U.S. surveillance programs meant it did not offer “adequate” privacy protections to Europeans.
The EU’s privacy regulators are due to give their opinion on the new deal this week and leaks suggest they won’t approve it. They can’t technically stop the commission issuing its adequacy decision, but they can make life very difficult for companies transferring the data if they think the U.S. doesn’t offer adequate protections.
Get Data Sheet, Fortune’s technology newsletter.
Microsoft thinks the deal is great, though. Here’s what John Frank, the firm’s head of EU government affairs, wrote in a Monday blog post:
We continue to believe today that additional steps will be needed to build upon the Privacy Shield after it is adopted, ranging from additional domestic legislation to modernization of mutual legal assistance treaties and new bilateral and ultimately multilateral agreements. But we believe that the Privacy Shield as negotiated provides a strong foundation on which to build.
We believe that the European Commission and U.S. Department of Commerce deserve credit for addressing complicated legal issues in ways that create stronger and pragmatic privacy protection for European citizens while enabling the continued movement of data that is the lifeblood of our economies.
Privacy Shield is supposed to limit the surveillance that U.S. authorities can carry out on Europeans’ personal information, and place new obligations on the U.S. firms that will be importing the data of their customers or (in the case of multinational corporations) their employees.
Microsoft said it would sign up for the Privacy Shield program, meaning it will need to do things like respond to complaints about data misuse within 45 days, and cooperate with EU privacy regulators.
For more on privacy, watch:
However, also on Monday, the European Consumer Organisation (BEUC) wrote to the EU regulators to complain that the deal “does not adequately protect consumers’ fundamental rights to privacy and data protection.”
BEUC said Privacy Shield suffered from the same flaws as Safe Harbor, chiefly due to a mismatch between the European and American legal systems:
Unlike in the EU, in the U.S. there is no statutory recognition of privacy as a fundamental right and the commercial collection and use of personal data remains largely unregulated except in certain narrow sectors…
BEUC considers that the European Commission should hold off from adopting the Privacy Shield, or any similar decision, until the United States can really guarantee, via its legal framework, an essentially equivalent level of data protection to the one existing in the EU.
Let’s see what the regulators themselves say later this week.
