US and European officials agreed Tuesday to a data-sharing deal that would replace the Safe Harbor pact.
Safe Harbor had regulated commercial data sharing for 15 years until it was overturned by a European court last October after a privacy activist’s suit against Facebook.
Few details have surfaced about the new deal, dubbed “Privacy Shield,” which must still be approved by EU state regulators.
Sources with knowledge of the deal said there will be an implementation period of around three months, after which companies in compliance will be able to securely and legally transfer data between the continents in much the same way they could under Safe Harbor.
Despite this lack of clarity, marketers and US businesses were ebullient over the news.
“[The deal is] a long-awaited and essential step forward for the transatlantic economy,” said IAB EVP of public policy Dave Grimaldi. “With nearly $100 billion in advertising revenue between the two continents, this decision will hopefully bring much needed legal certainty to the digital advertising industry.”
Christopher Oswald, VP of advocacy at the Direct Marketing Association (DMA), applauded “the steadfast dedication and cooperation of EU and US officials involved in these successful negotiations to establish a new framework to preserve data flows.”
For a while, an agreement seemed unlikely as EU and US negotiators missed the original Jan. 31 deadline, and blistering comments from the top EU antitrust regulator provided an ominous backdrop for ongoing discussions.
Max Schrems, the Austrian activist who overthrew Safe Harbor, said it’s too early to assess the Privacy Shield, but added, “This is also the first time we see at least some movement by the US side.”
“It’s becoming clear that there were some concessions from the US in terms of giving EU citizens access to the process,” said Gary Kibel, a partner at Davis & Gilbert LLP who specializes in advertising law and data security.
The deal is unlikely to satisfy the European privacy community, which wants to remove US National Security Agency (NSA) access to all European customer and user data. Commerce Secretary Penny Pritzker, who led the US side of the negotiations, has no authority over the NSA, so it’s not in her power to meet the strictest demands of European regulators.
“In the US, there’s no general data privacy law; online privacy is mostly governed by self-regulation,” said Frederik Borgesius, a researcher at the Institute for Information Law in Amsterdam. Borgesius said data collection – and especially government transparency of personal data – comes with strongly loaded preconceptions in Europe, dating from World War II reconciliation to the 2009 EU Charter of Fundamental Rights.
“The only possibility to arrive at long-term solutions seems to be amending US law about surveillance by intelligence agencies,” said Borgesius.
Kibel warned that vastly different EU markets and philosophies will continue to impact marketers, and ad tech in particular. “This is very different than the self-regulated world, with industry trade groups working out the parameters of what’s acceptable,” he said.
“Some people think this applies only to personal info, but the EU definition of personal data is extremely broad.”
Americans draw a line in the sand when it comes to personally identifiable information, like name, address and phone number. Europeans push back on cookies and tags that track digital movement, regardless of whether it connects back to a specific individual in the real world.
