The U.S.’s new Privacy Shield deal with the European Union won’t be enough of a sure thing for businesses, the man who brought down its predecessor has predicted.
Privacy Shield, which the European Commission is expected to formalize on Tuesday, is the replacement for a pact called Safe Harbor, which the European Court of Justice (ECJ) struck down last year over a lack of safeguards for EU citizens’ privacy rights.
The new deal is supposed to provide multinationals and web firms with a relatively easy way to legally process the personal data of European customers and employees, but its long-term viability depends on whether it will stand up where Safe Harbor fell.
Max Schrems, whose complaint against Facebook (FB) sank the earlier arrangement, thinks Privacy Shield is doomed.
Schrems told Fortune on Monday that legal uncertainty around the new pact will mean companies won’t rush to sign up to the Privacy Shield register. “It’s the same as Safe Harbor with a couple of additions, and it’s going to fail like the one before,” he said. “It’s better than Safe Harbor, obviously, but far from what the ECJ has asked for.”
Of course, that’s not the stance being taken by the European Commission, which has spent the last nine months scrambling to replace Safe Harbor, and some of the businesses that want to see data stay flowing across the Atlantic.
On Friday, when the EU’s member states voted to approve Privacy Shield (albeit with reported abstentions from Austria, Bulgaria, Croatia, and Slovenia), justice commissioner Vera Jourová insisted that the arrangement was “fundamentally different” from its predecessor. Additionally on Monday, Microsoft (MSFT) EU government affairs chief John Frank wrote that Privacy Shield “puts data flows between Europe and the U.S. on a solid legal foundation.”
According to Schrems, an Austrian lawyer and perennial thorn in Facebook’s side, Privacy Shield fails to provide this solid foundation in several ways.
Firstly, Schrems said, Privacy Shield does not ensure that Europeans’ personal data will only be processed for narrowly defined purposes, as EU law requires. He complained that people will often not be able to opt out of having their data processed, as is again required.
Schrems also criticized the deal’s provisions for “redress,” which is supposed to give people ways to complain about surveillance and abuse of data. The arbitration services that would handle commercial complaints (chosen by the companies who have been complained about) would have limited independence and few powers to investigate the complaints, he said, adding that the “ombudsperson” for investigating complaints against U.S. agencies would also lack independence.
So will Schrems try to take down Privacy Shield as he did Safe Harbor?
Get Data Sheet, Fortune’s technology newsletter.
“I don’t think will be a lack of people challenging it,” Schrems said. He predicted that the EU’s data protection authorities—who criticized an earlier Privacy Shield draft and will review the final version after its adoption this week—may be first in line, followed by NGOs and others.
“We haven’t really made up our minds so far, but it’s really not a problem to challenge it,” he said. “There are so many options to kill it.”
For that reason, the Austrian said, businesses will stay away: “A lot of industry lawyers I talk to say they are not going to rely on Privacy Shield because it is going to be challenged and overturned…I don’t think it’s going to be a commercial success story as Safe Harbor was before, because there’s a lack of legal certainty.”
Joe McNamee, the executive director of EU digital rights group EDRi, echoed Schrems’s warning. “It seems to be a perfect compromise insofar as everyone loses,” he told Fortune. “Companies need certainty; they don’t get it. Citizens need their data protected; they don’t get it. I guess everyone’s just going to wait until the inevitable ECJ case.”
For more on privacy, watch:
But Monika Kuschewsky, a Brussels-based data protection lawyer with Covington & Burling, seemed much more upbeat about Privacy Shield’s prospects.
“The U.S. has clearly made further concessions to satisfy the concerns raised by the various stakeholders, including the data protection authorities in the EU, since the publication of the first draft of the Privacy Shield adequacy decision in February,” she said. “The Privacy Shield certainly contains a much more robust set of commitments than those underpinning the Safe Harbor, and will provide stronger protections to data subjects in the EU as a result.”
Cameron Kerry, a lawyer in Sidley Austin’s Boston office, said it was likely that there would be a challenge to Privacy Shield, which he said provided a “new international standard for data transfers.”
“It’s prudent to have an alternative [legal mechanism for transfers] in place,” he said in a Monday conference call.
