Privacy Shield Roils Critics, Muddying U.S.-EU Data Sharing Picture
The recently proposed data-transfer pact between the U.S. and European Union has come under fire from critics, including privacy activists and some EU lawmakers, who claim the deal fails to adequately protect EU citizens from surveillance by American intelligence agencies. Early last month, the EU Commission and U.S. officials agreed to a new deal to replace the long-standing Safe Harbor agreement, which enabled U.S. companies to handle and store the personal data of users in the EU without being subjected to the EU’s often strict privacy rules. In October, Europe’s top court struck down Safe Harbor, throwing many U.S.-based companies that handle EU citizen data—including Google and Facebook and financial services providers—into a state of legal limbo. The new agreement, dubbed the EU-U.S. Privacy Shield, was hailed by supporters as a strong and sensible framework that would require U.S. companies to protect the personal data of Europeans and increase cooperation with European data protection authorities.
But after the full text of the Privacy Shield framework was released this week, some argued the plan didn’t go far enough to protect user data against “mass surveillance,” despite conditions that require written assurances placing limits on the U.S. government’s access to personal data for national security purposes. The deal also establishes an ombudsman within the State Department to address complaints from Europeans that U.S. intelligence agencies have inappropriately accessed their personal data. However, critics said the official selected for the role, Undersecretary of State Catherine Novelli, isn’t sufficiently independent and lacks the necessary authority over intelligence agencies.
No official court challenge to the Privacy Shield has yet materialized, but observers expect the deal to eventually wind up back in front of the bench, which would further muddy the waters for the 4,000 U.S. companies affected by the data sharing regulations. Further complicating matters, a working group comprised of privacy regulators from all 28 EU countries is separately reviewing the draft and must approve the plan before it can be enacted.