US-EU Privacy Shield Agreement Filled with Vague Promises

After three months of intense negotiations, the United States and the European Union settled the framework for a new data transfer agreement called Privacy Shield on February 2. Transatlantic data transfers had been at risk since October 2015, when the European Court of Justice overturned a 15-year-old data protection agreement called the Safe Harbor Treaty after having deemed the protections in the pact insufficient. Privacy Shield fills this void, and new privacy regulations once again allow international companies to transfer European data to the United States. The debate over data privacy highlights the difference in approach to privacy between the United States and Europe. According to the European Agency for Fundamental Human Rights, the European Union, in contrast to the United States, considers privacy a fundamental human right, guaranteeing citizens greater control over their personal information in all 28 member states. European laws thus include guarantees like the right to be forgotten, which forces search engines to remove links to past legal decisions upon a user’s request. Likewise, European Courts hold that foreign companies must honor a European’s right to privacy.

The new treaty, Privacy Shield, contains several promises. First, the United States agrees to abstain from indiscriminate mass surveillance of European citizens. Instead, the government will only access personal data from Europeans when it is deemed necessary for law enforcement or national security purposes. American companies importing data from European citizens must also comply with certain obligations enforced by the US Federal Trade Commission. Finally, when Europeans believe their data rights were violated, they have the ability to address their complaints to an ombudsman – an official responsible for investigating complaints – appointed under the US Department of Commerce.

However, opposition continues to grow against the new agreement. Sophie in’t Veld, a Dutch member of the European Parliament, commented that the promises in Privacy Shield are vague at best. She doubts that it upholds the standards set by the European Court of Justice and thus demands a thorough, judicial analysis of the agreement.

Likewise, in an interview with German news agency Tagesschau, privacy expert Jan Philip Albrecht of the German Green Party even called the agreement a “joke,” arguing that the Privacy Shield’s ombudsman methodology will not protect the right to privacy.

Moreover, Austrian law student Max Schrems, who led the campaign to overturn the Safe Harbor Treaty, has questioned the complete absence of a mechanism that would allow the European Union to ensure that the United States is not engaging in mass data collection. The criticism stems from the fact that the agreement contains promises, rather than guarantees. Without any outside mechanisms holding the United States accountable, it is questionable to what extent a European’s right to privacy is protected.

For now, the agreement takes Safe Harbor’s place, allowing data transfers across the Atlantic to resume. Yet Privacy Shield is only a framework, buying negotiators enough time to figure out the details. After the national data protection authorities finalize the agreement three months from now, all 28 members of the European Union will have to ratify it.

Although it is unlikely that the pact will satisfy all EU member nations, it will probably pass because it is a necessity for transatlantic businesses. Victoria A. Espinel, president of the Software Alliance, emphasizes that half a trillion dollars in trade were at stake, crystallizing the economic necessity of reaching an agreement. Nonetheless, legal challenges will likely follow. Emboldened by his first victory in the European Court of Justice, Schrems already expressed the willingness to take this agreement to court, where it will have to withstand even greater scrutiny.