Privacy Shield mauled by European tech suppliers

But successor to Safe Harbour agreement cheered by US firms

This week's Privacy Shield agreement between the EU and the US has met with a hung jury, with tech suppliers on respective sides on the Atlantic squabbling over its efficacy or otherwise.

While various US-based IT companies have praised the new measures, a number of European players have poured scorn on them.

Falling firmly into the latter camp is Rafael Laguna, chief executive of Nuremberg-headquartered software company Open-Xchange. He claimed that the Privacy Shield framework fails to address the European Court of Justice's (ECJ) primary reason for invalidating the Safe Harbour arrangement, and that "mass surveillance is still permissible whenever the US government deems it necessary".

"Unfortunately, it is highly unlikely that this ‘shield' will defend European privacy rights in any meaningful way," he added. "Despite claims of ‘clear' safeguards and ‘transparent' obligations, without further definition around these terms, no legally binding improvements have been made. It is no relief to know that European complaints around the misuse of data will be referred to an ombudsman from the US State Department."

Richard Davies, CEO of London-based cloud firm ElasticHosts, is another to question whether the new agreement offers sufficient peace of mind to European end users.

"US businesses operating in the EU will breathe a sigh of relief with the news of the new agreement but this gives little assurance to EU customers trusting a US provider with hosting their websites or sensitive data," he said. "US government agencies have historically shown little regard for the data rights of other countries' citizens. In an age where concerns over mass surveillance are growing, it will no doubt alarm many website owners and cloud customers to see how little has been done to give assurance of their privacy."

The view from across the pond
Perhaps unsurprisingly, industry players from the other side of the Atlantic have reacted more positively to news of Privacy Shield being agreed. Dave Packer, vice president of product marketing at Californian cloud backup firm Druva, welcomed the news a "a good stopgap for data privacy, and I think that we should see a more permanent solution in due course".

Packer stressed that, since the collapse of the Safe Harbour arrangement, his firm had been "able to continue business in the EU because of our assurances around data privacy and security". Texas-headquartered software titan BMC Software is another to have minimised the impact of the recent uncertainty, having "anticipated the end of Safe Harbour early", according to the company's EMEA vice president Jason Andrew. He explained that BMC had strived to become the first firm to receive approval as both a data controller and processor for its binding corporate rules - an EC-recognised mechanism allowing multinational firms to define standardised global policy.

"This new transatlantic data flow partnership Privacy Shield may mark a significant turning point between the EU and the US on the topic of personal data protection," said Andrew. "As expected, greater accountability and obligations have been placed on businesses in the US who want to keep conducting business in the EU. EU citizens can now hold businesses accountable for any mishandling of their data and can formally issue complaints regarding this."

What next?
Those with seemingly no dog in this fight do not appear to share the conviction of those directly affected by the agreement's effectiveness - or not, as the case may be. Mark Thompson, privacy practice leader at professional services monolith KPMG claimed that "a lot of global businesses will be breathing a sigh of relief" on hearing news of Privacy Shield being agreed. But Thompson stressed that this week's announcement marks simply the beginning of a process that is likely to last a matter of weeks, if not months.

"I expect there to be further announcements in the coming days and it is likely to take a few weeks until we see the full details of the written agreement," he said. "I expect once we have this some robust challenges will remain around the implementation of the newly coined Privacy Shield agreement. I think this is the next chapter of an ever evolving story."

Vinod Bange, head of the UK data protection and privacy practice at international law firm Taylor Wessing, was another interested observer to note that "the devil is in the detail".

"We need to know more in order to assess how effective this initiative will be and whether it will be a relatively straightforward compliance path for US organisations who will have to ‘commit to robust obligations'," he added.
"In terms of longevity,y much depends on the seriousness with which the framework is taken in the US and whether genuine protection is provided. The good news though, is that pending further challenges, there will be a Decision of adequacy which will enable transatlantic data flows between the EU and organisations in the US which comply with the new scheme."

Yesterday's announcement follows months of negotiation between legislators from the US and EU. Safe Harbour, a self-certification scheme designed to protect the processing of EU citizens' data by US-based firms, was invalidated by the European Court of Justice in October.