Privacy Shield aims to bridge EU-U.S. digital privacy gap, but question marks remain

U.S. companies, global e-commerce, collection of personal data sure to be affected

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

American whistle-blower Edward Snowden and Austrian citizen Maximilian Schrems are happenstance collaborators who together forced the United States and Europe to formally address an individual’s right to privacy in the Digital Age.

The EU-U.S. Privacy Shield agreement, announced Feb. 2, is a framework for rewriting the rules under which European citizens’ data can be transferred across the Atlantic into the possession of U.S. corporations.

The final chapter has yet to be written. And the lasting impact on individual Americans and Europeans—and on more than 4,000 U.S. companies doing business in Europe, including many small and midsize businesses—are, at this point, impossible to know.

Free resource: How to build customer loyalty by keeping data secure

Even so, the Privacy Shield deal assures substantive new privacy protocols are coming. And you can thank Ed and Max for that.

It was Snowden who outed the National Security Agency’s Prism surveillance program in the summer of 2013. Prism blew over quickly in the United States. But in Europe it intensified public demand for more individual control over personal data collected by U.S. e-commerce companies.

It was Schrems who last October persuaded the European Court of Justice that trans-Atlantic data transfer rules cobbled together in a 15-year-old agreement, known as Safe Harbor, were insufficient to keep European citizens’ data from the prying eyes of U.S. intelligence agencies.

Safe Harbor pact ruled invalid

Schrems single-handedly torpedoed Safe Harbor, thereby putting the business models of more than 4,500 U.S. companies collecting data from Europeans into a whirlwind of uncertainty.


“The European Court of Justice said that the Safe Harbor doesn’t work because it is against their (European citizens’) constitutional rights to privacy,” says Peter Swire, law professor at the Georgia Institute of Technology and senior counsel at Alston & Bird. “So that really has put things into a tizzy.”

The 28-year-old Schrems was reviled by Facebook’s aggressive collection and use of what he considered his private information. Schrems asked Facebook to send him his records and received a truckload of documents.

“But then he said that it wasn’t OK when Facebook sent data back to the U.S. because he said the U.S. protection on privacy wasn’t good enough and Safe Harbor wasn’t good enough,” Swire says.

When Schrems failed to get the Irish high court to rule on his grievances, he took it to the equivalent of the EU’s Supreme Court—and won. Swire believes none of this would have developed had it not been for Snowden.

Snowden created aftershocks

“Without Edward Snowden, the Safe Harbor decision wouldn’t have come out the same way,” Swire says. “Europe had been concerned about U.S. privacy practices for a while, but when the Europeans found out a lot of data was being collected by the NSA, it became personal for a lot of people.”

It evidently became personal, at some level, for the members of Europe’s high court. “I think that the Snowden revelations really laid the foundation for these changes we’re seeing now in Europe,” Swire says.

The new EU-U.S. Privacy Shield accord is a placeholder for an agreement in principle that will replace Safe Harbor. Details are being worked out and are scheduled to be disclosed this summer.

By going public with the broad provisions in early February, EU and U.S. regulators have tempered, somewhat, uncertainty and given privacy advocates and company decision-makers something to chew on.

Some of the details of the Privacy Shield:

• Puts the U.S. Department of Commerce in charge of overseeing how U.S. firms implement the agreement.

• Gives the EU, for the first time, a written description of how far the U.S. federal government can go to access data transferred from Europe.

• Gives any EU citizen the right to challenge the U.S. implementation of the new rules through their local data commissioner.

• Requires U.S. companies to comply with any orders from any EU data commissioner; an ombudsman will handle complaints.

Business consultants are spinning Privacy Shield as good news for U.S. companies as it removes that darkening cloud of uncertainty and at least gives them a baseline for planning operations under the new rules due this summer.

But the cloud could get dark once more. The United States is heading into a presidential election. A new U.S. administration could throw a monkey wrench in Privacy Shield. And legal challenges in the U.S. and EU are likely.

One thing is certain: the era of Google, Facebook, Microsoft, Apple and other U.S. companies engaging in e-commerce collecting, and profiting from, European citizens’ data with nominal oversight is over.

What that means for tech giants’ businesses practices when it come to U.S. citizens, if anything, remains to be seen.

Related stories:
Will Obama’s draft privacy law champion consumer rights?
Companies must not forfeit privacy in march of technology
How strong is the EU-U.S. Privacy Shield?