Perspective: Data Pact With E.U. Is Progress, However Tenuous

Editor’s Note: The author of this post works in the eDiscovery industry.

By Chris Gallagher, national director of eQ discovery services

“You Have an Accepted Offer.”

It is not often that so few words can bring so much joy. Whether a new car, candidate job offer, or the epitome, a new house – the immediate elation that is felt by those words is hard to beat.

As quickly as the elation comes upon you it is ultimately fleeting as you realize that an accepted offer is only one, very small step, in a long arduous process to ultimate home ownership.

This fleeting excitement can be compared to the likely celebration that was felt around the world by those watching the drama around Safe Harbor play out. As the January deadline for Safe Harbor 2.0 came and went it was looking like an agreement would not be reached.

However, on Feb. 2nd  the College of Commissioners approved the political agreement reached and mandated that Vice President Andrus Ansip of the European Commission and Commissioner Vera Jourová  prepare the necessary steps to put the new arrangement in place. The Marvel Comic-sounding name of ‘The EU-US Privacy Shield’ replaces the nearly 15-year-old Safe Harbor agreement that was left in ruins following Edward Snowden’s revelations and the subsequent challenge of the Safe Harbor by law student Max Schrems.

The Privacy Shield represents an advancement over the previous agreement in a number of ways. The Shield is slated to be a living agreement evaluated annually with the first such review in 2017. This will ensure it is befitting its stated goal of allowing free transfer of digital information, while protecting the data privacy rights of EU citizens.

The Shield is also comprised of a number of channels to address claims by EU citizens who feel their data privacy has not been respected. This includes the filing of a complaint with the company at issue, followed by a similar request for resolution with the U.S. Department of Commerce. Finally, if neither of those provides a satisfactory path – the involved parties may turn to a newly created independent ombudsman within the U.S. Department of State to allay fears and address issues.

There is no doubt that a momentary sigh of relief was felt by each of the over 3,000 corporations around the globe that relied on Safe Harbor to transfer European Data to the U.S. However, that relief was quickly replaced by doubt as questions around the ultimate legitimacy of the provisions crept in.

As companies sign up for this new agreement, assuming it is fully fleshed out, they will have to agree to a regular review of their data processing practices and make additional, yet to be completely determined, assurances regarding how they handle European data.

The above agreement is not a treaty and therefore does not carry the weight of law. It is very much a political agreement and may find itself subject to the whims of a rapidly changing U.S. government. As the Iowa caucuses are ending and our election season is beginning in earnest, more than the presidency will be at play. If the Privacy Shield is to have a chance then the EU data protection authorities and judges across Europe need to take a moment and refrain from regulatory actions and judicial hearings to allow time for the agreement to be fully hashed out. Civil liberties unions and data privacy advocates will likely challenge this as they did Safe Harbor under the terms it lacks the necessary safeguards for European’s private data. Politicians are much more likely to play ball and blur the lines into gray areas than judges and advocates, like Max Schrems.

Forward progress, however slow, is progress none the less, but U.S. corporations should continue to watch the developments closely and keep those Model Contract Clauses close at hand. Until the ink is dry, we cannot be sure it won’t make its way back to the courts in Luxembourg.