U.S.-EU data deal won't end cross-border data uncertainty

Image from

This summer, the European Commission may approve the Privacy Shield framework -- a replacement for the court-nixed Safe Harbor arrangement that had previously governed U.S.-EU data transfers – but the international uncertainty is unlikely to end.

That uncertainty threatens trillions of dollars in trans-Atlantic business. Europeans, whose court system recognizes such concepts as the "right to be forgotten," remain worried about the ways in which less-privacy-concerned Americans might use their data for commercial and intelligence purposes.

"It is clear that a model 21st century trade agreement cannot neglect the importance of the free flow of data to trade, investment, and business operations," U.S. Ambassador to the EU Anthony Gardner said in an address to the U.S. Chamber of Commerce in Belgium last month.

He aimed to allay European fears.

Since the Privacy Shield was initially hammered out in February, many European officials have weighed in, largely in non-binding capacities and largely to oppose the measure.

"[T]he Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the [European] Court [of Justice]," opined European Data Protection Supervisor Giovanni Buttarelli late last month.

That court struck down Safe Harbor over privacy concerns late last year.

Data Protection Authorities  from across the EU, represented in the Article 29 Working Party, also expressed reservations about Privacy Shield's privacy protections and vague wording, while noting the framework was an improvement over Safe Harbor.

Responding to DPAs' concerns, U.S. Ambassador Gardner clarified that Privacy Shield protections will "flow with [individuals'] data" even as that data is transferred to third parties.

He also stressed the notification requirements and complaint avenues included in the framework.

"Under the Privacy Shield, an individual may bring a complaint directly to a Privacy Shield participant company, and the company must respond to the individual within a fixed period of time," Gardner said. "If an individual submits a complaint to a DPA in the EU, the [U.S.] Department of Commerce has committed to receive, review and undertake best efforts to facilitate resolution of the complaint and to respond to the DPA within a fixed period of time."

In the past few months, Congress passed – and President Barack Obama signed – the USA Freedom Act and the Judicial Redress Act, Gardner noted. The laws may give some comfort to privacy advocates.

Gardner also claimed American intelligence-gatherers are committed to as much transparency as possible – just look at the Tumblr account.

For some, the Privacy Shield seems like a solid framework.

"I think it's an improvement," U.S. Chamber of Commerce global regulation head Adam Schlosser told FCW. "It provides clarity. It's a step in the right direction."

The framework may not be perfect, but the alternative to a broad agreement are individual contract arrangements, the legal costs of which could keep smaller businesses from participating in trans-Atlantic markets.

The Privacy Shield still needs a final "adequacy decision" from the European Commission. Officials had initially expressed a hope to pen the decision by June, but Schlosser predicted it would come by July.

And then the real challenge will hit when the deal winds up in front of the court that killed its predecessor.

"Someone's going to bring a challenge to Privacy Shield," Schlosser said. "If not on hour one, then on day one."

About the Author

Zach Noble is a former FCW staff writer.


  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

  • Comment
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    Doing digital differently at VA

    The Department of Veterans Affairs CIO explains why digital transformation is not optional.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.