European enforcers not sold on ‘privacy shield’
Facebook’s Data Center in Luleaa, Swedish Lapland, was the company’s first to be built outside the U.S. | Jonathan Nackstrand/AFP via Getty Images
In a stuffy room in a European Commission building near Brussels’ Place Jourdan, the EU’s data cops will meet this week to decide the fate of an agreement to enable companies to move data across the Atlantic.
If the authorities decide the “privacy shield” pact doesn’t offer Europeans adequate protection, billions of euros of lost business will be at stake because data transfers could grind to a halt. Although the outcome is not binding, it would be difficult for the Commission to ignore.
The privacy shield was created by the Commission and U.S. negotiators in February after its 15-year-old predecessor known as “safe harbor” was struck down by the European Court of Justice in October because it did not sufficiently protect Europeans’ data.
Before the ECJ ruling, more than 4,000 U.S. companies relied on safe harbor for legal cover. Companies self-certified that they offered Europeans the same level of data protection in the U.S. as they got at home. The revelations of mass surveillance by former National Security Agency contractor Edward Snowden cast doubt on those promises.
The Commission wanted the replacement privacy shield framework to be operational by June.
However, it will face serious challenges when EU national data protection authorities and the EU’s Data Protection Supervisor Giovanni Buttarelli issue a joint opinion Wednesday, according to several people involved, who requested anonymity because the deliberations are private.
Germany’s data authorities have already decided they want to send the pact back to the drawing board, according to an opinion leaked last week. Other countries’ authorities said they will request changes too.
“[The German position] gives an indication of our final conclusion, even though the wording [used in the leak] does not appear in the latest draft,” a person involved in the negotiations told POLITICO.
Europe’s data protection authorities will have plenty of questions Wednesday.
One issue, sources say, is a lack of clarity around the role of the ombudsman who will investigate Europeans’ privacy complaints under the framework. Another concern is that there are six exceptions under which the U.S. can still collect European data in bulk, including counterterrorism, cybersecurity, and detecting and addressing certain activities of foreign powers.
The Commission wouldn’t speculate on the outcome of the meeting and still plans to adopt the privacy shield framework by June.
“In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and the new ombudsman mechanism,” said Commission spokesperson Christian Wigand.
U.S. negotiators have previously said there’s little room for movement on their side.
The European data protection authorities’ potential opposition to privacy shield is making companies nervous.
“This puts companies in a limbo,” said Olivier Proust, a data protection specialist with the law firm Fieldfisher. “[Companies] have to keep transferring data. Moving data [to Europe] isn’t a practical or viable solution. In a globally connected world, this is not a solution.”
More serious still, the data authorities could also argue this week to invalidate other frameworks for data transfers, namely binding corporate rules and model clauses.
Binding corporate rules are a mechanism established by the Commission and frequently used by multinationals to transfer personal data between departments, such as payroll information. Model clauses, by contrast, are often used by European firms that pass their local customers’ data onto U.S. companies as part of an outsourcing agreement.
Most large companies switched to model clauses and binding corporate rules after the ECJ struck down safe harbor. The annihilation of these mechanisms would be a huge blow to business confidence.
“That’s the main industry risk here,” said Alexander Whalen, senior policy manager for DigitalEurope, a trade organization for large tech companies. “If the data protection authorities come out on Wednesday and say privacy shield should be pushed back and, by the way, companies can’t use model clauses or binding corporate rules, then we’ll have a gap with no legal instrument for data transfers. That’s what companies are really concerned about.”
Tech companies and law firms have rushed to defend privacy shield, hoping last-minute lobbying will sway the authorities.
“We believe wholeheartedly that it represents an effective framework and should be approved,” John Frank, Microsoft’s vice president for EU government affairs, wrote in a blog post Monday. Privacy shield, he continued, “is an important step in enhancing trust in the global digital economy, and we hope that it will be approved as negotiated.”
DigitalEurope sent a letter to EU countries’ representatives and members of the European Parliament urging them to support and implement privacy shield.
“After months of uncertainty, it is time to restore trust and legal certainty for citizens and for the thousands of European and American businesses, both large and small, that depend on transatlantic data transfers,” the letter, seen by POLITICO, says.
Julie Brill, a lawyer and former U.S. commissioner for the Federal Trade Commission who was instrumental in the privacy shield negotiations, believes the agreement is good enough.
“I would really encourage everyone to not let perfect stand in the way of something very, very good,” she said. “Overall it should be approved and should go forward.”
That argument has some support from conservative members of the European Parliament.
“The current debate is unproductive. We need to put this in the perspective of transatlantic cooperation,” Adina-Ioana Vălean, a Parliament vice-president for the European People’s Party, told POLITICO. “[Privacy shield] needs to pass as is.”
That appears wishful thinking.
The data protection authorities are likely to ask for additional assurances and clarifications to be inserted into the privacy shield agreement, and may even insist on the reopening of negotiations.
Liberal MEP Sophie in ‘t Veld, a long-time critic of U.S. data protection practices, believes the Commission gave too much ground to U.S. negotiators.
“Why is the European Commission always so submissive?” she said.
Consumer advocacy group BEUC wrote a letter to EU data protection authorities on April 11, saying: “We are convinced [privacy shield] does not adequately protect consumers’ fundamental rights to privacy and data protection. We are therefore not in favor of the adoption of this new scheme, which suffers from the same fundamental flaws as its predecessor, safe harbor.”
The verdict by the DPAs may not be legally binding, but it will be influential. Ignoring their opinion would put the Commission in a precarious position if, and more likely when, the privacy shield is challenged before the European Court of Justice.
Joanna Plucinska and Laurens Cerulus contributed to this report.