U.S. Multinationals Have a Huge Privacy Problem in Europe
Europe’s privacy regulators have urged EU lawmakers to resume negotiations with the U.S. administration over the “Privacy Shield” data-sharing deal, saying the agreement announced in February isn’t good enough.
U.S. multinationals therefore remain in legal limbo when it comes to importing the personal data of Europeans, such as emails, files, and even names and birth dates. That applies to corporations wanting to process the information of employees in Europe, as well as web firms providing cloud services to European customers.
There used to be a simple way for companies to import this data without the threat of legal action—an agreement called Safe Harbor, which let firms self-certify that they abide by EU-strength privacy rules. However, that deal got nixed by Europe’s top court because firms couldn’t guarantee the data wouldn’t be sucked up by U.S. intelligence agencies, and because Europeans didn’t have adequate ways in which to complain about their data being misused.
Guess what? The same problems are (as predicted) holding back the approval of the new Privacy Shield deal, Safe Harbor’s replacement.
Get Data Sheet, Fortune’s technology newsletter.
“The possibility that is left in the Shield…for bulk collection, which is massive and indiscriminate, is not acceptable,” said Isabelle Falque-Pierrotin, the head of French data protection authority CNIL and the frontwoman for all of Europe’s privacy watchdogs, on Wednesday.
Under the terms of the Privacy Shield deal, U.S. agencies agreed to limit their bulk surveillance of Europeans’ personal data to occasions when they’re investigating terrorism, espionage, or cybersecurity. However, the EU’s regulators pointed out that these conditions apply only to the use of collected data, not the collection itself, which is still indiscriminate, and that even then the exceptions were unacceptably broad.
That’s against EU law, which demands targeted surveillance, at the collection stage. The whole point of Privacy Shield is to ensure that the U.S. gives equivalent protections to Europeans’ data as they get back home.
The other major problem is the role of the new “ombudsperson” mechanism, described in Privacy Shield, that would supposedly give Europeans a straightforward way to complain about data misuses in the U.S. The regulators said the idea was good, but the complaint system was still too awkward — and crucially, it doesn’t look like the ombudsperson wouldn’t have enough power to actually deal with complaints as EU law demands.
Falque-Pierrotin said the regulators had gotten a lot of verbal assurances from the U.S. administration and others about their concerns, but even if these were in writing, they wouldn’t be enough to fully put their minds at rest.
So what now?
The European Commission, the EU’s executive branch, was hoping to officially sign off on the Privacy Shield deal in June. However, that road map was based on negotiations with the U.S. being over. The privacy regulators want to see more negotiations, and revisions to the current text of the agreement.
The Commission doesn’t technically need to listen to what the regulators say, but the watchdogs have the right to investigate and suspend data transfers if they don’t think Europeans’ rights are being protected—regardless of what deals have been struck across the Atlantic. That makes listening to them a good idea.
Vera Jourová, the commissioner in charge of the deal, said the Commission would “work to swiftly include” the regulators’ recommendations in the final Privacy Shield text. However, there is only so much the Commission can do on its own — the main problems need concessions on the American side.
Max Schrems, the plaintiff in the case that brought down Safe Harbor, said he expected the commission to push on despite the regulators’ opinion.
“I personally doubt that the European Commission will change its plans much,” he said. “There will be some political wording, but I think they will still push it through. Given the negative opinion, a challenge to the Privacy Shield at the courts is even more promising. Privacy Shield is a total failure, that is kept alive because of extensive pressure by the U.S. government and some sectors of the industry.”
For more on privacy and national security, watch:
As for the companies caught in the middle, they are in a tricky position.
Those who are still relying only on Safe Harbor (which doesn’t exist anymore) are liable for fines and could even be told to stop transferring data to the U.S. As things stand, they can only legally send data off to U.S. servers if they have drawn up legal tools called binding corporate rules and model clauses. These are a pain to set up, as the process can take well over a year.
Larger companies, such as Facebook, have long ago set up these mechanisms as a fallback position, which means the striking down of Safe Harbor didn’t suddenly make their activities illegal.
However, these tools theoretically suffer from the same flaws as Safe Harbor and—the regulators say—Privacy Shield. That means if the U.S. doesn’t agree to further change its surveillance practices, even binding corporate rules and model clauses could be invalidated.
If all that comes to pass, U.S. companies dealing with the EU face a whole world of pain. For now, there’s no long-term solution in sight.
“Given the pressure and the non-binding nature of the [regulators’] opinion, it is highly likely that Privacy Shield will continue to press forward,” said Aaron Tantleff, a lawyer in the privacy practise at Foley & Lardner. “However, by doing so it will be open to significant attacks by the public, and a court challenge is all but guaranteed. Rejection of the Privacy Shield is problematic for many organizations.”
This article was updated as more information came in.