Privacy Shield aims to bridge EU-U.S. digital privacy gap, but question marks remain

U.S. companies, global e-commerce, collection of personal data sure to be affected

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Amer­i­can whis­tle-blow­er Edward Snow­den and Aus­tri­an cit­i­zen Max­i­m­il­ian Schrems are hap­pen­stance col­lab­o­ra­tors who togeth­er forced the Unit­ed States and Europe to for­mal­ly address an individual’s right to pri­va­cy in the Dig­i­tal Age.

The EU-U.S. Pri­va­cy Shield agree­ment, announced Feb. 2, is a frame­work for rewrit­ing the rules under which Euro­pean cit­i­zens’ data can be trans­ferred across the Atlantic into the pos­ses­sion of U.S. corporations.

The final chap­ter has yet to be writ­ten. And the last­ing impact on indi­vid­ual Amer­i­cans and Europeans—and on more than 4,000 U.S. com­pa­nies doing busi­ness in Europe, includ­ing many small and mid­size businesses—are, at this point, impos­si­ble to know.

Free resource: How to build cus­tomer loy­al­ty by keep­ing data secure

Even so, the Pri­va­cy Shield deal assures sub­stan­tive new pri­va­cy pro­to­cols are com­ing. And you can thank Ed and Max for that.

It was Snow­den who out­ed the Nation­al Secu­ri­ty Agency’s Prism sur­veil­lance pro­gram in the sum­mer of 2013. Prism blew over quick­ly in the Unit­ed States. But in Europe it inten­si­fied pub­lic demand for more indi­vid­ual con­trol over per­son­al data col­lect­ed by U.S. e-com­merce companies.

It was Schrems who last Octo­ber per­suad­ed the Euro­pean Court of Jus­tice that trans-Atlantic data trans­fer rules cob­bled togeth­er in a 15-year-old agree­ment, known as Safe Har­bor, were insuf­fi­cient to keep Euro­pean cit­i­zens’ data from the pry­ing eyes of U.S. intel­li­gence agencies.

Safe Har­bor pact ruled invalid

Schrems sin­gle-hand­ed­ly tor­pe­doed Safe Har­bor, there­by putting the busi­ness mod­els of more than 4,500 U.S. com­pa­nies col­lect­ing data from Euro­peans into a whirl­wind of uncertainty.


The Euro­pean Court of Jus­tice said that the Safe Har­bor doesn’t work because it is against their (Euro­pean cit­i­zens’) con­sti­tu­tion­al rights to pri­va­cy,” says Peter Swire, law pro­fes­sor at the Geor­gia Insti­tute of Tech­nol­o­gy and senior coun­sel at Alston & Bird. “So that real­ly has put things into a tizzy.”

The 28-year-old Schrems was reviled by Facebook’s aggres­sive col­lec­tion and use of what he con­sid­ered his pri­vate infor­ma­tion. Schrems asked Face­book to send him his records and received a truck­load of documents.

But then he said that it wasn’t OK when Face­book sent data back to the U.S. because he said the U.S. pro­tec­tion on pri­va­cy wasn’t good enough and Safe Har­bor wasn’t good enough,” Swire says.

When Schrems failed to get the Irish high court to rule on his griev­ances, he took it to the equiv­a­lent of the EU’s Supreme Court—and won. Swire believes none of this would have devel­oped had it not been for Snowden.

Snow­den cre­at­ed aftershocks

With­out Edward Snow­den, the Safe Har­bor deci­sion wouldn’t have come out the same way,” Swire says. “Europe had been con­cerned about U.S. pri­va­cy prac­tices for a while, but when the Euro­peans found out a lot of data was being col­lect­ed by the NSA, it became per­son­al for a lot of people.”

It evi­dent­ly became per­son­al, at some lev­el, for the mem­bers of Europe’s high court. “I think that the Snow­den rev­e­la­tions real­ly laid the foun­da­tion for these changes we’re see­ing now in Europe,” Swire says.

The new EU-U.S. Pri­va­cy Shield accord is a place­hold­er for an agree­ment in prin­ci­ple that will replace Safe Har­bor. Details are being worked out and are sched­uled to be dis­closed this summer.

By going pub­lic with the broad pro­vi­sions in ear­ly Feb­ru­ary, EU and U.S. reg­u­la­tors have tem­pered, some­what, uncer­tain­ty and giv­en pri­va­cy advo­cates and com­pa­ny deci­sion-mak­ers some­thing to chew on.

Some of the details of the Pri­va­cy Shield:

• Puts the U.S. Depart­ment of Com­merce in charge of over­see­ing how U.S. firms imple­ment the agreement.

• Gives the EU, for the first time, a writ­ten descrip­tion of how far the U.S. fed­er­al gov­ern­ment can go to access data trans­ferred from Europe.

• Gives any EU cit­i­zen the right to chal­lenge the U.S. imple­men­ta­tion of the new rules through their local data commissioner.

• Requires U.S. com­pa­nies to com­ply with any orders from any EU data com­mis­sion­er; an ombuds­man will han­dle complaints.

Busi­ness con­sul­tants are spin­ning Pri­va­cy Shield as good news for U.S. com­pa­nies as it removes that dark­en­ing cloud of uncer­tain­ty and at least gives them a base­line for plan­ning oper­a­tions under the new rules due this summer.

But the cloud could get dark once more. The Unit­ed States is head­ing into a pres­i­den­tial elec­tion. A new U.S. admin­is­tra­tion could throw a mon­key wrench in Pri­va­cy Shield. And legal chal­lenges in the U.S. and EU are likely.

One thing is cer­tain: the era of Google, Face­book, Microsoft, Apple and oth­er U.S. com­pa­nies engag­ing in e-com­merce col­lect­ing, and prof­it­ing from, Euro­pean cit­i­zens’ data with nom­i­nal over­sight is over.

What that means for tech giants’ busi­ness­es prac­tices when it come to U.S. cit­i­zens, if any­thing, remains to be seen.

Relat­ed stories:
Will Obama’s draft pri­va­cy law cham­pi­on con­sumer rights?
Com­pa­nies must not for­feit pri­va­cy in march of technology
How strong is the EU-U.S. Pri­va­cy Shield?