Europe’s effort to export its tough privacy rules around the world is about to run into a wall of U.S. resistance.
Over two days of negotiations with U.S. officials this week in Brussels, the European Union is set to voice concerns about how Washington watches over EU citizens’ data under a transatlantic data protection pact that underpins billions of euros of annual trade, but which has become a lightning rod for how Brussels and Washington differ markedly on digital data protections.
Senior officials, including Věra Jourová, the EU’s justice commissioner, and Wilbur Ross, the U.S. commerce secretary, will hold talks from Thursday as part of an annual review of the Privacy Shield pact. At stake is which region — Europe or the United States — has the right to set privacy standards that apply whenever data is moved across the Atlantic.
The EU is set to push for further concessions from the U.S. about how its citizens’ information is collected, stored and used by American government agencies and companies when it is shipped from Europe to the United States, following a revamp of data protection rules that came into force earlier this year. While the European Union is not expected to tear up Privacy Shield this week, the deal does face a reckoning in less than a year as it comes under review in Europe’s highest court.
“We have a list of things which needs to be done on the American side,” Jourová told POLITICO in reference to the upcoming review of the international data transfer deal. “And when we see them done, we can say we can continue.”
Standing in the EU’s way, though, is the U.S. government. Washington is adamant that its existing protections — dating back to the constitution’s Fourth Amendment in the late 18th century — as well as its rollout of the EU-U.S. data transfer deal since 2016 means there are now sufficient privacy guarantees to ward off European complaints.
Several U.S. officials, who spoke on condition of anonymity because they are not authorized to speak publicly, also questioned why the EU is focusing on Washington’s access to sensitive personal data when many European national governments have similarly intrusive data collection programs.
“There is no non-compliance,” Gordon Sondland, the U.S. ambassador to the EU, told reporters earlier this month in reference to Privacy Shield. “We are fully compliant,” he said. A spokesman for the U.S. commerce department declined to comment.
The standoff comes as people around the world grow increasingly wary of how digital giants use their personal data, especially in the wake of the Facebook-Cambridge Analytica scandal. Both companies deny wrongdoing in the breach, which allowed third-party companies to access the data of 87 million users without consent.
Fears about privacy will hang over the two-day talks in Brussels, which are bringing together more than 100 EU and U.S. officials, including Joe Simons, chairman of the U.S. Federal Trade Commission (FTC). Jourová, for instance, is expected to ask for an update on the FTC’s ongoing Cambridge Analytica investigation, even though that inquiry is not within the remit of the review.
But that is just one of many European concerns, most of which arguably focus more on Washington’s political attitude toward data protection rather than the daily workings of the data protection deal, according to EU officials directly involved in the talks.
The European list of grievances includes complaints about the ombudsman at the U.S. State Department, a position designed to field complaints from Europe’s national privacy watchdogs over how the U.S. government accesses EU data.
Manisha Singh was appointed in early September as the State Department’s Privacy Shield ombudsman, as well as acting undersecretary for economic growth, energy, and the environment. But Brussels still is not satisfied because her position is not permanent, or sufficiently high-ranking.
So far, less than 10 complaints under Privacy Shield have been made to EU national privacy agencies, according to a review by POLITICO. No cases have been forwarded to U.S. officials.
EU negotiators are also expected to push U.S. officials to beef up monitoring of how companies — more than 3,500 businesses from Facebook to small firms — use the transatlantic pact, as well as assurances from the White House that it will stick to promises to limit security agencies’ use of EU data, according to European officials.
“There are still deficiencies in the system,” said Claude Moraes, a member of the European Parliament from the Socialists & Democrats, who drafted a nonbinding resolution earlier this year calling on EU officials to scrap Privacy Shield. “We still don’t know if the U.S. is taking this seriously.”
For U.S. officials, those fears are overblown.
Washington argues that it has complied with the agreement, including the recent appointment of privacy regulators to the Privacy and Civil Liberties Oversight Board, an obscure U.S. government agency that oversees certain data protection concerns.
The FTC also is set to champion its enforcement powers, which have seen eight U.S. companies lose accreditation under Privacy Shield for failing to protect EU citizens’ privacy rights.
“The FTC has been taking enforcement action against companies that claim they’re complying,” said Justin Antonipillai, a former senior commerce department official, who helped to negotiate Privacy Shield. “There is always going to be criticism around this, especially if you see [data] breaches. It’s going to take a lot of work to build trust in coming years.”
While the two sides are likely to clash, officials and industry watchers don’t expect the EU to choose the nuclear option of scrapping the pact — a move that would likely hurt European companies as much as large U.S. tech firms like Google and Facebook.
Such reluctance suggests that, despite the tough rhetoric coming out of Brussels, Europe is failing to get Washington to accept its far-reaching view of data protection standards.
Others say the absence of a meltdown is a sign that the system is working, and that the annual review is doing what it was designed to do: provide a framework for dialogue where both sides can voice their views without flipping the table.
“It’s a healthy thing because it creates a mechanism where the EU and U.S. can have conversations about cross-border data flows,” said Dean Garfield, president of the Information Technology Industry Council, an industry group that represents many of Silicon Valley’s biggest names. Such dialogue “doesn’t exist in other parts of the world.”
A final decision on whether the agreement stays in place will follow in November, when the European Commission sends its formal decision to Ross.
Yet the annual gatherings — and legal certainty around EU-U.S. data transfers — could also collapse.
In the first half of 2019, Europe’s highest court will hold hearings over complaints brought by EU privacy campaigners aimed at striking down the pact. The groups argue that the U.S. still does not offer sufficient guarantees for Europeans’ data under Privacy Shield, and that the continued movement of digital information to the U.S. breaches EU fundamental rights.
If the European Court of Justice rules against the pact — a decision would be made in early 2020, at the earliest — European and U.S. officials would be again forced to restart negotiations over how to share data.