Cracks emerge in EU US data 'shield'
The next US administration can, if it so chooses, weaken an already patchy data sharing pact with the EU known as Privacy Shield.
The provisional agreement spells out how US companies can use the transferred data of EU nationals while respecting tough EU privacy laws.
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
But fears are mounting a US administration headed by firebrand Donald Trump may attempt to punch holes in an agreement whose legal basis is largely based on promises and letters signed by top US officials.
Ted Dean, a US department of commerce official, told a room of skeptical MEPs on Thursday (17 March) that the US has made commitments to uphold its side of the bargain.
When pressed on the legal basis that ties the US to those commitments, he said it was in the commercial interest of the US to respect the rules.
"We've made these commitments, a new administration could look at them, but that is exactly why there is an annual review," he added.
His EU commission counterpart Tiina Astola echoed similar views, telling MEPs that possible changes is "a fact of life".
"Whenever an administration changes, when the legislature changes, there can be amendments and changes. But that is the fact of life," she said.
The two sides took years to reach a political agreement on how to protect the privacy of transferred data of EU citizens while allowing US firms to process and use that data for commercial ends.
Privacy Shield is supposed to ensure, among other things, that the US National Security Agency (NSA) won't bulk collect and use data of EU citizens once transferred to the US.
The entire agreement hinges on whether it can stand up against the scrutiny of the European Court of Justice in Luxembourg.
The Court last October scuppered a 15-year old Safe Harbour agreement following revelations by former NSA contractor Edward Snowden of US-led mass surveillance.
Over 4,000 US firms relied on Safe Harbour.
With Safe Harbour dead, many were at pains on how to transfer and use the data of EU citizens whose commercial value is estimated in the billions.
Negotiators on both sides of the Atlantic then scrambled to finalise the new Privacy Shield as a Safe Harbour replacement.
They then announced Shield at the start of February with much fanfare but without disclosing details on how it would work in practice.
Bulk collection still allowed
A few weeks later, the EU commission published a series of letters signed US state secretary John Kerry, commerce secretary Penny Pritzker, the Federal Trade Commission, and the Office of the Director of National Intelligence, amongst others.
Details in those letters show the US can still bulk collect data if targeted collection is somehow not feasible.
The EU commission says this is good enough, noting if the US fails to comply, it can suspend the pact.
"Even if bulk collection is sometimes allowed the sum total of these limitation and safeguards means there is no limitless collection and no limitless access, which is what the Court [ECJ] found to be in breach," said Astola.
The EU and US are hoping their arguments will re-inject business confidence among the thousands of firms that rely on processing data of EU nationals.
That includes restoring trust among the people whose data is being harvested. If people think the US will continue to violate their privacy, regardless of Privacy Shield, then they may turn away from US firms.
Some privacy advocates are describing Privacy Shield as a sham.
"Privacy Shield represents a step backwards for the scope and definition to the right of privacy," said Marc Rotenberg, president and Executive Director of the US-based Electronic Privacy Information Center.
He said section 702 of the US foreign Intelligence Surveillance Act (FISA) first needs to be repealed.
The section grants the US government sweeping powers to collect foreign intelligence information.