Data Transfer Deal Already Under Fire
It didn't take long for dents to appear in the proposed E.U.-U.S. Privacy Shield.
The trans-Atlantic data transfer agreement designed to replaced a 15-year-old Safe Harbor arrangement struck down last fall drew immediate criticism on both sides of the pond. European Union officials announced the deal on Tuesday (Feb. 2), days after negotiators missed an earlier deadline.
The tentative agreement appears to be a victory for large U.S. companies like Amazon (NASDAQ: AMZN), Apple (NASDAQ: AAPL), Facebook (NASDAQ: FB) and Google (NASDAQ: GOOGL) who transfer huge amounts of private and corporate data across the Atlantic. However, skeptical vendors, including data management outfits designing platforms to securely store user data on European servers, questioned the efficacy of the proposed Privacy Shield.
"We’ve decided we’re going to continue keeping our EU user data in Europe," said Aytekin Tank, CEO of San Francisco-based JotForm Inc. The Safe Harbor agreement allowed U.S. companies to store European data in its U.S. datacenters. After a European court invalidated the original Safe Harbor arrangement, a group of vendors including the online form builder introduced tools that would allow European users to store their data on European servers.
Tank said the proposed Privacy Shield was a good first step, adding, "We believe that the permanent solution for U.S. companies is to keep user data in Europe."
Other vendors developing file services for handling the transfer of private data were more critical of the deal. Ian McEwan, vice president and general manager for Europe, Middle East and Africa at file services specialist Egnyte Inc. called the tentative E.U.-U.S. deal "temporary relief" and an "incremental step."
The Silicon Valley company's beef is that vendors and their enterprise customers are again being force to trust a third party with their data. Those concerns also prompted European negotiators to extract concessions from the U.S., including assurances from Washington aimed at limiting the ability of U.S. intelligence agencies to collect data on Europeans when personal information is transfer to the U.S.
The Privacy Shield deal was announced on Tuesday after U.S. officials agreed to provide annual written assurances.
That's not good enough for some companies. "There is far too much trust being placed in government agencies and a heavy reliance on the integrity of systems that have provided unsatisfactory levels of transparency," McEwan of Egnyte asserted. "In order to guarantee privacy of their data businesses will need to take matters into their own hands, leveraging tools and best practices that go beyond simple encryption."
Industry groups like the Washington-based Information Technology & Innovation Foundation (ITIF) that had pressed negotiators to forge a deal, praised the tentative framework. "Going forward, the United States and E.U. should make a number of much-needed privacy reforms to continue rebuilding trust and cooperation," ITIF said in a statement. It also called on both sides to promote stronger data encryption and improve cyber security.
Meanwhile, negotiators put the best face on the agreement. "U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed," European Union Commissioner Vĕra Jourová stressed in a statement announcing the new framework.
Under growing pressure to cut a deal, U.S. Commerce Secretary Penny Pritzker asserted in a statement that the Privacy Shield framework would provide "certainty that will help grow the digital economy."
As both sides await possible legal challenges and growing skepticism among the 28 E.U. member states, European data protection officials said companies could continue to transfer data until the end of February. If approved, the Privacy Shield framework could go into affect in April.