U.S. and European regulators have agreed to a tentative deal, officials say, that would allow thousands of U.S. companies to continue moving the personal information of ordinary Europeans across the Atlantic. The new "E.U.-U.S. Privacy Shield" deal will replace the original "Safe Harbor" pact — an agreement was struck down by Europe's top court about three months ago, sending regulators on both sides scrambling to fashion a new arrangement that could withstand a legal challenge.
A deal is crucial to companies such as Facebook and Google, which rely on collecting personal data seamlessly across the world to sell targeted advertising to users. But Safe Harbor is also crucial to thousands of other companies, from start-ups to big multinationals such Coca-Cola and General Electric, which keep track of how customers are using their products.
Here's what you need to know about this critical privacy agreement between the two regions.
What is Safe Harbor?
Back in 2000, the United States and the European Union hammered out a deal that attempted to reconcile a big difference between European and U.S. laws when it comes to privacy: Europe believes privacy is a fundamental right, and has data protection promises built into its charter. In the United States, there are some federal protections for things like credit and health care information, but there's no single national law that lays out privacy rights.
Safe Harbor basically gave companies the okay to move Europeans' data to the United States if they committed to a set of general principles loosely based on European privacy law. And that agreement became even more important to tech companies in recent years because they routinely bounce information around data centers around the world.
What happened to it?
Basically, Max Schrems. He's an Austrian student whose activism brought the deal down. Schrems has been advocating for European digital privacy rights for years, focusing his efforts primarily on how Facebook handles Europeans' data. He complained to privacy regulators in Ireland, where Facebook's international operations are based. And when the regulators decided not to investigate, citing that the company was covered by the Safe Harbor agreement, he took them to court.
That case was eventually routed to the European Court of Justice, which struck down the agreement last October based on arguments that the agreement failed to protect Europeans from U.S. government surveillance.
"This decision is a major blow for U.S. global surveillance that heavily relies on private partners," Schrems said in a statement after the decision came down. "The judgement makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights."
How did everyone else react?
Tech companies and the U.S. government sort of panicked. "We are deeply disappointed in today's decision from the European Court of Justice, which creates significant uncertainty for both U.S. and E.U. companies and consumers, and puts at risk the thriving transatlantic digital economy," U.S. Secretary of Commerce Penny Pritzker said in a statement at the time. "The court's decision necessitates release of the updated Safe Harbor Framework as soon as possible."
The E.U. and U.S. were already trying to negotiate a new version of the agreement when the court ruling came down, but it had a new sense of urgency afterwards. Companies such as Microsoft publicly weighed in on their ideas for a fix — and warned of "a return to the digital dark ages" where data is segregated by nation if something couldn't be worked out.
It's possible that without a deal, U.S. companies would have been forced to rework how they handle Europeans' data — keeping it in local data centers and complicating their digital infrastructure — or rely on complicated contract clauses to govern how they use the data.
What's in the new deal?
The details are still emerging, but officials say the pact will include several assurances from the U.S. side:
- Access to Europeans' data by law enforcement and national security agencies would be subject to "clear limitations, safeguards and oversight mechanisms."
- U.S. companies would have to agree to a set of standards on how personal data is processed, while guaranteeing individual rights. The Department of Commerce will ensure the companies post those promises publicly, which makes them enforceable under U.S. law by the Federal Trade Commission.
- Europeans will have new ways to address about how their data has been handled by companies. If they lodge a complaint, the companies will have a deadline to respond. E.U. citizens can go through their local data protection authorities to complain to the FTC. The pact also sets up a no-cost "Alternative Dispute resolution" process for consumers.
- The U.S. will also set up a new ombudsperson at the State Department to respond to complaints about potential access to data by the national intelligence community.
Is this a good thing?
That depends on who you ask. Industry, at least seems to be happy. "The agreement reached between the E.U. and U.S. sets an essential legal and political foundation for the free flow of data across international borders," Mark MacCarthy, senior vice president of public policy at the Software & Information Industry Association, said in a statement.
Peter Swire, a Georgia Institute of Technology law professor who helped negotiate the original Safe Harbor agreement, said its good for users too. European users, he said, will have more ways to get redress than under the old agreement. And U.S. consumers "benefit if the Internet continues to function effectively on both side of the Atlantic," he added.
But many privacy advocates are not happy with the new deal. They had hailed the court decision in October as a victory for European consumers who wanted to challenge how U.S. companies were collecting and using their data. In Europe, individuals can more easily request details of the personal data companies have collected — and they have even have the so-called "right to be forgotten," which gives them the ability to ask Microsoft or Google to hide negative information about themselves from search results.
Some privacy advocates hoped that the end of Safe Harbor would force tech companies to make further privacy and transparency changes in Europe — and potentially even expand them to consumers in the U.S. and elsewhere, because it would be difficult to run what would essentially be separate services for different parts of the world. The advocates also hoped the October court decision would put pressure on Congress to craft federal privacy protections, because the issue had become a trade barrier.
"The only hope that Americans had for privacy was for Europe to continue to insist that that U.S. companies improve their practices," said Jeff Chester, the executive director of the Center on Digital Democracy. "Now, the Commerce Department has created a new shield against privacy and consumer protection."
What happens next?
The new deal still needs to be finalized and approved by the European Union's 28 member states — and on Wednesday, a group of European data commissioners is set to weigh in on how they think E.U. citizens' data should be protected when sent overseas.
What's more, a new deal may face the same sort of judicial scrutiny that took down the original Safe Harbor agreement. While negotiators say they believe they've hammered out a deal that will stand up to that pressure, privacy advocates are already talking about returning to the courtroom.
"There will be clearly people that will challenge this – depending on the final text I may well be one of them," Schrems said in a statement.
Swire, too, expects there will be legal challenges. "I expect the complaints to make it back to the European Court of Justice," he said.
So while thousands of companies that relied on Safe Harbor may be sighing in relief now, it's not clear the new agreement will stand the test of time.