The EU-US Privacy Shield is up, but its future is in doubt

Critics say the agreement traded legislative reform for political assurances.

After much argument and discussion, the European Commission (EC) today adopted the Privacy Shield, an EU-US agreement that's supposed to protect the rights of Europeans whose personal data is transferred to the US. It's necessary because laws in the US aren't on par with Europe when it comes to data protection. With the agreement in place, companies like Facebook and Twitter can now freely move information between regions while ensuring that Europeans' rights are upheld.

The new agreement replaces Safe Harbor, a similar legal framework which was ruled invalid by the European Court of Justice (ECJ) last year. Safe Harbor basically allowed data to be transferred so long as companies stated they were in compliance with European privacy standards. Problem was, US tech companies have not been able to prevent agencies like the NSA from snooping on foreign data. It was the Snowden-led revelations of 2013 that eventually led to Safe Harbor being ruled ineffective at protecting data privacy.

Since the ECJ killed Safe Harbor, officials on both sides of the Atlantic have been scrambling to put together a replacement. Tech companies and other businesses that transfer data overseas have effectively been in a legal no man's land, with no framework in place but, in some cases, no way to stop transferring the data without shutting down their businesses.

At their core, the goals of both agreements are identical: Participating companies must treat data originating from the EU in accordance with EU law, regardless of whether it sits in a data center in Rome, Italy, or Rome, Georgia. And the way that companies do that, by essentially saying "yes we meet the EU standards," has also not really changed. The real difference here is in the safeguards that make sure companies and governments abide by the rules.

The changes in this respect are threefold. First, the US Department of Commerce is now responsible for ensuring companies are meeting the higher data privacy requirements. Second, any individual whose data originates from the EU (not just Europeans) can complain if they feel their rights have been violated. Those complaints will be forwarded to the relevant US department and handled "expeditiously" and "at no cost to the individual." Third, the US has "ruled out indiscriminate mass surveillance on personal data transferred to the US," and promised bulk collection would "only be used under "specific preconditions and needs to be as targeted and focused as possible." Complaints pertaining to data transferred on "national security grounds" (as the Privacy Shield documents put it) will be handled by an ombudsperson, who should work impartially and independently of all federal security agencies.

The tech industry has been represented in the discussions surrounding Privacy Shield by DigitalEurope, a collective of companies and trade associations. The group, which includes Apple, Dropbox, Google, Microsoft, Samsung and Sony, has welcomed the agreement, and says its members are readying themselves to begin meet the new standards and sign up. Microsoft, in a blog post, said the decision "sets a new high standard for the protection of Europeans' personal data."

Others are less convinced. While the final agreement has yet to be analysed by parties outside of the discussions, leaks of the document have been read through by privacy advocates. In a post on Medium, Privacy International's legal officer Tomaso Falchetta said Privacy Shield will be "a field day for law firms." His arguments are nuanced, but the key point is this:

"Given the flawed premises — trying to fix data protection deficit in the U.S. by means of the Obama Administration's assurances as opposed to meaningful legislative reform — it is not surprising that the new Privacy Shield, at least as it appears in the leaked version, remains full of holes and offers limited protections."

Falchetta's words have been echoed by many, including Max Schrems, a lawyer and privacy activist whose complaint against Facebook's data practices set in motion a chain of events that killed Safe Harbor. "It's the same as Safe Harbor with a couple of additions, and it's going to fail like the one before," he told Fortune. "It's better than Safe Harbor, obviously, but far from what the ECJ has asked for." Although Schrems is unsure if he'll go after Privacy Shield in the same way, he's sure that someone will, and successfully so: "We haven't really made up our minds so far, but it's really not a problem to challenge it," he said. "There are so many options to kill it."