The US government has poured cold water on the idea of making changes to the new Privacy Shield agreement that will cover transfers of people's private data between the US and Europe, potentially putting the entire agreement at risk.
Under secretary of commerce for international trade, Stefan Selig, told Reuters that the US government would be "very cautious about not upsetting ... a delicate balance."
That delicate balance followed two years of talks between US and EU officials, but was accelerated when the European Court of Justice struck down the previous Safe Harbor agreement in October 2015.
Despite those efforts, however, last week the Article 29 Working Party – made up of data protection agencies from across Europe – said it was not happy with the final wording and questioned several key components, including whether national security exemptions were legal, how the agreement review system would actually work, and how independent the US Ombudsman really was.
All three of those concerns point to the main issue that caused the previous agreement to be deemed illegal: mass surveillance of data by the US security services.
Put simply, the NSA and other security services want the ability to trawl through any data sent from Europe to the US (which means, in effect, the vast majority of online services like Google searches or Facebook posts). And Europe wants the US to respect Europe's data protection laws, which grant a degree of privacy over people's online activities.
The "delicate balance" will still allow for effective mass surveillance, but Europeans will be able to appeal to an independent Ombudsman if they feel their data has been accessed inappropriately.
The Article 29 Working Party strongly implied that this approach was little more than window dressing, however, when it questioned how independent the Ombudsman really was. The Working Party said there were precious few details about the agreement's review process, ie, the concern is that the "review" would be little more than a rubberstamping exercise.
The question over the legality of special exemptions for national security – in other words, mass surveillance by the NSA – comes as the European Court of Justice is reviewing the UK's GCHQ spying activities to see whether they are legal. If the court decides they are not, then the exemptions in the Privacy Shield would also become illegal.
The Working Party specifically noted that the agreement did not include the fact that "massive and indiscriminate collection of personal data" was not allowed; its omission implying that it is.
US trade under secretary Selig said that the Article 29 Working Party's report was an "important milestone," but then made the comment about being "very cautious" about upsetting the delicate balance.
It was a message to EU government representatives, who ultimately will vote on the new agreement, that the US is not prepared to make any significant concessions, putting pressure on them to find a solution before the planned signing date of June.
The Working Party's recommendations are not binding, so the EU can approve the Privacy Shield despite their concerns. However, it is very likely that if the concerns are not tackled effectively, the agreement will be referred to the European Court of Justice. There it risks being struck down again for failing to meet European privacy standards.
The flow of data between the US and Europe is a hugely important economic driver worth hundreds of billions of dollars each year. It covers everything from credit card transactions to online advertising to search engines to social media.
Without a broad agreement covering data across the Atlantic, companies would effectively be obliged to draw up new contracts and get all customers to agree to them – a huge burden and something no one wants. ®