The United States and the European Union on Monday released the full text of an agreement that would let U.S. companies transfer Europeans’ data across the Atlantic and establish new ways for E.U. citizens to complain about data-privacy violations.
The Obama administration’s 128-page document package includes commitments from the Federal Trade Commission, the State Department, and other federal agencies to uphold the protections enshrined in E.U.–U.S. Privacy Shield, the deal struck in early February to replace a previous data-sharing agreement.
Europe’s top court struck down the first agreement, known as Safe Harbor, in late 2015 over concerns that U.S. companies could not meet the stringent privacy rules of Europe’s 28 national data-protection regulators because the firms were subject to American mass-surveillance programs. That threw the American business sector—especially the Silicon Valley firms awash in European customers’ personal data—into chaos, as they waited to see if a new deal would be struck to legalize their transfers.
“This isn’t a good deal. It hardly deserves to be called a ‘deal’ of any kind.”
The U.S. intelligence community did not agree to make any substantive changes to its surveillance activities, a fact that could jeopardize Privacy Shield’s fate when E.U. member states and their data-protection bodies meet to review the agreement. But the State Department will establish a privacy ombudsman office to receive complaints from Europeans about companies or government agencies improperly accessing their data.
Privacy Shield requires companies to respond to such complaints within 45 days, but there will also be “alternative dispute resolution” forums to hear complaints, and the European Commission—the region’s executive body—will work with the FTC to ensure that alleged violations are investigated.
“Strong law enforcement and increased cooperation will be critical to the new framework’s success, and the FTC will play a significant role in enforcing commercial privacy promises under the framework,” FTC Chairwoman Edith Ramirez said in a statement.
If Privacy Shield is enacted, U.S. companies will need to submit detailed reports explaining how they protect the privacy of individuals whose data they move between continents. Only then will the deal cover them.
The two governments will review compliance with data-privacy rules every year.
Tech-industry trade groups, which represent many large companies caught in a legal vacuum after Safe Harbor was struck down, praised the release of the new deal’s text in glowing, hopeful statements.
“The Privacy Shield will provide strong privacy safeguards, legal certainty for companies and enhances transatlantic trust,” said Christian Borggreen, international policy director for the Computer and Communications Industry Association.
“After our initial review, it appears that the two sides have achieved the objective of securing an agreement that both enhances privacy protections and provides the certainty needed to promote innovation and economic growth,” said Josh Kallmer, senior vice president for global policy at the Information Technology Industry Council.
“Approval of the new framework by European leaders will be an important step toward fostering greater innovation and global economic progress,” said Mark MacCarthy, senior vice president of public policy at the Software and Information Industry Association.
Digital privacy is considered a fundamental right in the European Union, enshrined in the region’s founding charter like freedom of speech in the United States. Many of Europe’s national data-protection agencies have expressed skepticism that Privacy Shield will meet their stringent requirements, and despite the months of work that went into its drafting, the deal’s success is far from assured.
European privacy advocates issued fresh condemnations of the agreement on Monday.
“This isn’t a good deal,” Joe McNamee, executive director of European Digital Rights, said in a statement. “It hardly deserves to be called a ‘deal’ of any kind.”
Illustration by Jason Reed