The European Union and United States reached a political agreement last week on allowing EU citizens’ personal information to be sent across the Atlantic, but lingering uncertainty about whether the pact will be approved by EU regulators has businesses — and U.S. lawmakers — on edge.
The Commerce Department has said implementation of the new accord would safeguard some $260 billion that more than 4,000 businesses such as Google and Amazon contribute to the U.S. economy each year.
The deal, announced on Feb. 2, focuses heavily on providing privacy assurances to EU citizens concerned about how their data might be used by the U.S. government. It’s a concern that grew after revelations in 2013 about the extent of surveillance by the National Security Agency.
Negotiators on both sides of the Atlantic raced to reach the pact before a body of EU regulators was poised to start discussing potential penalties on businesses transferring data from the EU to the U.S. if no “appropriate solution” had been found.
For now, even though the new pact is far from final, businesses are being spared from enforcement actions.
Instead of recommending penalties right away, EU regulators requested that the European Commission provide details on the new data transfer agreement by the end of February since the group had not yet seen a text of the proposal. The regulators are then expected to make a decision about whether the new pact addresses privacy concerns raised in an October court decision that invalidated a previous framework. The EU’s highest court ruled that the U.S. did not do a good job protecting EU citizens’ data sent from the EU to the U.S. in various transactions such as airline reservations and payroll processing under a framework that had been in place since 2000. That program was run on the U.S. side by the Commerce Department with enforcement from the Federal Trade Commission.
U.S. lawmakers welcomed the announcement of a political agreement but made it clear they’ll keep a watchful eye on what happens next.
“Our focus now turns to understanding the finer details and enforcement mechanisms of the new deal, which hopefully won’t temper today’s good news,” Republican House Energy and Commerce Committee leaders said in a statement on the day the agreement was announced. “All of the unnecessary delay has been costly, but it’s important to note just how critical this is for job creators on both sides of the Atlantic and our respective economies.”
Senate Commerce, Science and Transportation Chairman John Thune, R-S.D., urged the EU and Commerce Department to implement the new agreement “without delay.”
There will be several months of waiting, though, as the EU starts a multi-step process of formalizing the agreement. That process is likely to draw out the suspense for businesses looking for a longer-term answer on how they can legally transfer data from the EU to the U.S.
“It seems in general a pause button has been hit,” said Adam C. Schlosser, director of the Center for Global Regulatory Cooperation at the U.S. Chamber of Commerce.
EU regulators said last week that companies using alternate mechanisms like model contract clauses and binding corporate rules to transfer data from the EU to the U.S. will continue to be able to do so. The group warned, though, that companies that don’t have those mechanisms in place are at risk of penalties from the data protection authorities in EU member states.
Schlosser said he’s hopeful the EU data protection authorities “will use common sense” in making any decisions about whether to bring enforcement actions against businesses until a new pact is finalized.
Tech groups expressed concern about the remaining uncertainty of potential penalties.
“We call on European Data Protection Authorities to endorse this new and strengthened framework and give time for … companies to transition,’’ said Computer and Communications Industry Association International Policy Director Christian Borggreen in a statement.
Mark MacCarthy, senior vice president of public policy at the Software and Information Industry Association, said in a statement that the new agreement would help “avoid overly protective restrictions or inconsistent country-by-country regulations which could severely limit digital trade’s global benefits.”
“We believe the framework will be effective in fostering global economic progress, and we hope it will be quickly reviewed and made final by European leaders,” he said.
Before the European Commission can consider adopting the new deal, the working party of regulators must give its advice and there must be a vote in a committee composed of representatives of member states, according to an approval process outlined by EU officials. At least 16 out of 28 EU member states representing at least 65 percent of the total EU population would have to vote in favor of the deal for it to proceed.
That vote could show whether member states are convinced the new pact would be enough to protect their citizens’ privacy in the U.S.
The agreement comes with a slew of provisions aimed at ensuring personal data is protected from “indiscriminate mass surveillance.”
“I believe this new arrangement … is what Europe needs. Both our citizens and our businesses will benefit from this,” European Commission Vice President Andrus Ansip said in a press conference in Strasbourg, France.
Among other things, the new accord calls for creating a special ombudsperson to address EU citizens’ complaints about U.S. agencies’ handling of their data, holding a joint annual review of the agreement and requiring written assurances from the National Intelligence director that EU citizens’ personal data is protected.
“It was a tough negotiation focused on protecting privacy for both EU and U.S. citizens and businesses,” Commerce Secretary Penny Pritzker said in a call with reporters.
The EU’s Justice, Consumer and Gender Equality Commissioner Vera Jourová said she and Ansip will prepare documents related to the new agreement, which is being referred to as the “EU-U.S. Privacy Shield,” for adoption in the coming weeks by the European College of Commissioners.
“We will do our best to have the new arrangement in force as soon as possible. My estimation is three months,” Jourová said.
Jourová said the main achievements of the pact are that it provides clear safeguards and transparency obligations on U.S. authorities’ access to data and that the U.S. is providing “for the first time ever” binding assurances to the EU on the limitations of law enforcement and national security agencies’ access to data. Those assurances are to be provided in writing by the Office of the Director of National Intelligence, she said.
“This is a unique step the U.S. has made in order to restore trust in our Trans-Atlantic relations,” Jourová said.
The State Department has also agreed to create a special ombudsperson role for complaints by EU citizens concerned about their data.
The European Commission and Commerce Department will review the agreement annually.
Pritzker and Jourová expressed confidence the new agreement will withstand any future legal challenges. But some representatives of member states have been quick to express skepticism that the agreement will do enough to protect EU citizens’ information from U.S. surveillance, and privacy advocates are already predicting there could be further court battles.