European and American officials approved a new data-transfer agreement Tuesday that allows U.S. tech companies like Google and Facebook to collect the personal data of EU citizens. But after Edward Snowden’s revelations of the NSA’s mass surveillance, suspicions still linger that American agencies will abuse this private information.
The new transatlantic pact, known as the Privacy Shield, lets U.S. companies move European consumer data to American servers, but it requires that firms adhere to Europe’s heightened data protection standards. Under the agreement, American businesses must offer European consumers clear privacy policies that explain what personal data is being collected and for what reasons. U.S. companies have to establish a complaint process for European consumers who believe their data has been misused. And these consumers must be notified of third parties who process their data; these businesses would also have to follow the same tightened rules.
Officials say the deal is a significant improvement on the previous transatlantic data agreement, known as Safe Harbor, which allowed companies to move data across the Atlantic but lacked more robust data protections. The European Court of Justice, the EU’s highest judicial authority, struck down Safe Harbor last October in response to growing concerns about U.S. mass surveillance.
The impact of Safe Harbor’s invalidation, and the disruption of data transfers, had far-reaching consequences. The cross-border data, which includes browsing and shopping histories and social media profiles, is exceedingly valuable to technology companies. Beyond Silicon Valley, hundreds of billions of dollars are at stake and over 4,000 American businesses are potentially affected by this transatlantic data. So U.S. officials have negotiated to convince their European counterparts that robust safeguards exist to protect consumers and check government surveillance power.
“Bringing the United States and Europe, the world’s largest and most advanced economies, together around complex issues like privacy is not easy,” said U.S. Secretary of Commerce Penny Pritzker at a press conference in Brussels Tuesday morning. “But today it is more important than ever.”
Much of the negotiations leading to the Privacy Shield focused on clarifying U.S. eavesdropping limits. Under the agreement, EU citizens who believe their data has been misused can complain to data protection authorities across Europe. And an ombudsperson position will be created within the State Department to investigate any alleged wrongdoing.
“The discussions over the past years have basically been the U.S. government trying to prove to the European Union that they do not do mass and indiscriminate surveillance on EU citizens,” Alexander Whalen, a senior policy manager at DigitalEurope, a trade group whose members include Google, Amazon, and Microsoft, told BuzzFeed News. Whalen said many tech companies are eager to comply with the new data agreement.
But civil society advocates and data protection authorities in Europe are not convinced that the Privacy Shield is an adequate solution. They argue that U.S. government officials have failed to “provide sufficient details in order to exclude massive and indiscriminate collection of personal data originating from the EU,” especially as growing fears of terrorism lead American agencies to over-collect information.
Privacy regulators have also questioned the independence of the State Department ombudsperson, arguing that the position has limited power and may not be able to seek meaningful remedies.
“I think everybody knows that this new Privacy Shield is going to be challenged again in the European Court of Justice,” Whalen said. “It’s going to come back to national surveillance.”
But for now, technology trade groups say the deal will help conclude the legal limbo American firms have been thrown into.
“It’s been a very uncertain situation for the last seven or eight months. So it’s good to see it coming to an end,” Victoria Espinel, the president of BSA - The Software Alliance, a group that represents Apple, Oracle, and IBM, told BuzzFeed News. “While I think it is reasonably likely a challenge will come, I’m also confident that the Privacy Shield would withstand that challenge.”
The European Court of Justice will likely decide the final outcome, experts say. “At a political level, the agreement potentially resolves a very contentious series of friction between the United States and Europe over privacy issues,” Daniel Hamilton, the founding director of the Center for Transatlantic Relations at Johns Hopkins University, told BuzzFeed News.
“While there’s potentially at least a diplomatic resolution here, it’s not the final say.”
Hamza Shaban is a technology policy reporter for BuzzFeed News and is based in Washington, DC.
Contact Hamza Shaban at Hamza.Shaban@buzzfeed.com.
Got a confidential tip? Submit it here.