The U.S. tech industry breathed a big sigh of relief as European regulators voted in favor of a pact that will let American companies transfer data about customers and employees overseas without stepping on legal landmines.
The measure is critical because it replaces a previous legal regime known as the “Safe Harbor,” which Europe’s top court kiboshed in 2015 after an Austrian citizen claimed it allowed U.S. companies too much control over personal data. The safe harbor case was about Facebook (FB), but the ruling served to put any American firm in legal jeopardy if they ran software in Europe.
“The vote will be an important step towards moving us back to predictability and reliability,” said Victoria Espinel of the Business Software Alliance, a U.S. trade group that represents tech firms.
According to Espinel, over 4,400 U.S. firms across numerous industries relied on the old safe harbor rules, and the new privacy shield means they can breathe easy again.
“It’s important to all of our companies in the cloud space. The cloud doesn’t work if data is forced to stay in borders. Data must move back and forth for cloud computing to work,” Espinel said by phone.
A Voice for Europeans in the U.S.
The European Court of Justice threw out the old safe harbor rules, which allowed U.S. tech firms to self-certify that they complied with Europe’s privacy rules, in part because they did not give EU citizens enough control over their data.
The new privacy shield addresses the court’s concerns by introducing new safeguard measures. One of the most important is the creation of a U.S. “ombudsman” to whom Europeans can bring privacy complaints, including ones about how American intelligence agencies spy on social networks and other tech firms.
The issue became a hot topic in Europe after revelations by former NSA contractor Edward Snowden that the U.S. government had forced companies like Google (GOOG) and Yahoo (YHOO) to disclose data and, ultimately, led to the collapse of the old safe harbor rules.
The creation of the ombudsman will, in theory, allay concerns about such snooping by letting Europeans communicate directly with the U.S. State Department about surveillance tactics.
Under the new privacy shield law, European data regulators will also work more closely the Federal Trade Communication, an agency that serves as the top privacy cop in the United States.
A final reason the Privacy Shield got done is a new law, called the Judiciary Redress Act, signed by President Obama in February. The law basically allows European citizens to bring privacy complaints in U.S courts.
“Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice,” said two top EU officials in response to the vote on Friday.
But despite the praise for the Privacy Shield from both sides of the Atlantic, there are still doubts the deal will be durable enough to last.
“Better Than Nothing”
The Privacy Shield is not technically a done deal yet because it still requires a final blessing from the European Commission. Few, though, doubt this will be a problem since that step is considered a formality.
There are, however, doubts about how well the deal will stand up in the near future. Among the skeptics is William McGeveran, a privacy law scholar at the University of Minnesota.
“Is the shield better than nothing? Probably but it won’t be anything compared to what companies got out of the safe harbor,” he said in a recent phone interview.
According to the McGeveran, the difference between the legal regimes is captured by the metaphors used to describe them: In the case of the harbor, companies could sit secure and unbothered while the new shield will instead serve to block a series of incoming blows.
The legal blows aimed at U.S. companies will continue to arrive, he explained, because the European Court of Justice’s ruling in the Facebook case (known as Schrems) did not draw bright lines over what privacy rules would be acceptable, and which would not be. Instead, the court says the definition of should change in response to current events—an arrangement that could lead local data regulators to keep moving the goal posts over the definitions of data privacy.
McGeveran pointed out that national and even regional data regulators in Europe will continue to have the power to probe the manner in which U.S. companies deal with data.
“A lot of rhetoric says this takes us back to the status quo before the Schrems decision, which is a big mistake,” McGeveran said. “Now, you have many regulators who take different approaches – creating a situations where one or two especially active data regulators could undo this.”
McGeveran also pointed to a recent summit between the FTC and France’s top data regulator, where observers noted the Privacy Shield represents a solid start rather than a permanent solution. Further uncertainty comes in the form of a withering legal assessment by a top Eurocrat, who basically spat on the deal in May.
Espinel of the Business Software Alliance is more optimistic. She claims that the process of revisiting the Privacy Shield rules, which is a baked-in part of the EU-U.S pact, is actually a strength not a weakness because it will prevent a legal breakdown such as the one that befell the safe harbor.
Meanwhile, everyone appears to agree the Privacy Shield will be subject to legal challenges that will ultimately be sorted out by the European Court of Justice. On this front, there may be cause for optimism since some lawyers are saying that, in the wake of Brexit and other political turbulence in Europe, the ECJ will be reluctant to issue rulings that upset the status quo.
Finally, there is the question of Britain and how it fits into the new Privacy Shield regime. For now, the country is still quietly participating in the European Commission process. But in coming days, it may have to negotiate its own arrangements with both the EU and U.S.