海角大神

For the second time in less than a month, Europe stands on the threshold of history. As聽many Europeans are still trying to wrap their heads around the idea of a union without Britain,聽the European Commission has been moving toward ratification of a landmark data-protection聽agreement with the US.

The agreement, known as Privacy Shield, will provide European citizens with unprecedented聽protections for their personal and commercial data. It will also make Europe a vital hub in the聽global flow of digital information.

On Tuesday, European Commissioner for Justice Ve虒ra Jourov谩 and Secretary of聽Commerce Penny Pritzker signed the Privacy Shield agreement, marking its final approval and聽opening the door on a new era of safe, secure digital commerce for European citizens and聽businesses.

But immediately following this historic step, Privacy Shield is certain to face legal challenges,聽leaving the courts to decide its fate. These decisions will have a monumental impact on the聽future of Europe, and on the European Union鈥檚 place in the global economic hierarchy.

The EU and US have an opportunity to embrace our shared belief in free market聽economic principles and, more essentially, the democratic process. To quote聽President Obama, "What binds us together is greater than what drives us apart."

I believe that聽the Privacy Shield agreement captures these common values, and that鈥檚 why I support its聽ratification and implementation.聽I do not take lightly notions of privacy. In the sometimes-pitched battle between the聽machinery of the free market and consumers鈥� rights, I have staked my career on defending the聽latter.

Back in 2000, the Department of Commerce and the European Commission聽finalized a privacy framework called Safe Harbor.聽It was designed to protect the rights of聽European citizens as their data traveled across the Atlantic. American companies that adhered聽to Safe Harbor were allowed to collect and use data about European consumers and聽employees, and store the data on US servers.

By October of last year, some 4,500 U.S.聽companies, large and small, were relying on Safe Harbor to handle the data of tens of聽thousands of European and American employees and to do business with millions of European
citizens.

Then, in October, the Court of Justice of the EU invalidated Safe Harbor,聽holding that it didn鈥檛 provide Europeans with the levels of protection to which they were聽entitled as EU citizens.

But while the Court of Justice鈥檚 decision in Schrems v. Data Protection Commissioner聽sounded the death knell for Safe Harbor, negotiations on an updated data security framework聽between the US and the EU had already begun, two years before Schrems, after Edward聽Snowden revealed that US intelligence agencies had been collecting personal consumer data聽held by American companies.

The Schrems decision certainly added urgency to these聽negotiations, but the writing had been on the wall since Snowden: European policy makers and聽privacy advocates believed that Safe Harbor鈥檚 protections were no longer adequate.

Privacy Shield is the result of the negotiations that began in 2014, a new framework聽designed to replace and improve upon Safe Harbor. It is the framework that聽Europeans deserve today. Privacy Shield strengthens consumer protections with regard to both聽government and commercial access to data.

In doing so, it addressees the European Court of聽Justice鈥檚 two major concerns about Safe Harbor. First, it outlines the fortifications to existing聽safeguards against government access to personal data for the purposes of national security聽surveillance. Second, it provides clear, inexpensive avenues of redress for individuals concerned聽that their data is being used improperly. These provisions are designed to meet the court鈥檚聽demands that the protections governing any transfer of Europeans鈥� data out of the EU be聽鈥渆ssentially equivalent鈥� to those found in European law.

To understand Privacy Shield, and why its protections are adequate, it is important to聽understand the requirements that businesses and government agencies face under the current聽regime of American privacy law. It鈥檚 true that the US has no single law like the baseline data聽protections found in most EU member states. But taken as a whole, US laws and regulations聽do provide a layered assemblage of strong consumer safeguards.

Indeed, US law was clearly聽the inspiration for many of the guiding principles that informed the drafting of the European聽General Data Protection Regulation, including an emphasis on data security and breach
notifications, a focus on heightened protections for children鈥檚 data, and a prioritization of聽deidentification of sensitive data.

Where government collection of personal data is concerned, the idea of a fundamental,聽constitutional right to privacy is a cornerstone of American law, deeply woven into our social聽and legal fabrics. Recently the right to privacy has been extended through the courts to include聽new technologies and new forms of communication. The Judicial Redress Act, the USA聽Freedom Act and President Obama鈥檚 Policy Directive 28, all adopted in the wake of the聽Snowden revelations, honor and strengthen this tradition by providing new limitations on the聽way data is collected and used by US intelligence services.

The Judicial Redress Act, which聽explicitly extends the protections of the Privacy Act to foreign citizens, is particularly聽noteworthy in this discussion.

Other individual statutes protect information about children,聽finances,聽medical data,聽and student data,聽as well as information used to make decisions about consumers鈥� credit,聽insurance, employment and housing. At the state level, approximately 60 privacy laws were聽passed last year alone. The Attorneys General of each of the 50 states, as well as a legion of聽federal agencies 鈥� led by the Federal Trade Commission 鈥� each have broad imperatives to enforce these laws and聽bring to account those whose actions do harm to consumers.

Privacy Shield clarifies this amalgam of restrictions already governing data flows in the聽US. With respect to government surveillance, the Office of the Director of National聽Intelligence and the Department of Justice have provided letters describing the limitations on聽government access to data for intelligence and law enforcement purposes. These letters are聽significant on two levels. First, they lay out the US government鈥檚 binding commitments to聽apply the same protections to European citizen data that it applies to its own citizens鈥� data.

These commitments include the government鈥檚 fortification of citizens鈥� protections in the USA聽Freedom Act and the US Foreign Intelligence Surveillance Act, and the improvements in the聽operation of the Foreign Intelligence Surveillance Court. Second, these letters demonstrate聽that the US, and in particular the intelligence and law enforcement communities,聽take the European Court of Justice鈥檚 concerns seriously.

Of course, such assurances are only as good as one鈥檚 capacity to enforce them. To that end,聽Privacy Shield mandates the creation and appointment of an ombudsperson, within the State聽Department, who will operate independently of the national security agencies and be available聽exclusively to Europeans.

Any European citizen with concerns about US surveillance of his or聽her data may file a complaint to the ombudsperson, who will in turn verify that any surveillance聽measure has been implemented in accordance with law, and correct any anomalies or聽violations of the citizen鈥檚 rights. It is worth noting that the ombudsperson bears a striking聽resemblance to the National Oversight Commission 鈥� France鈥檚 own solution to the balancing of
individual rights and national security.

On the commercial side, Privacy Shield significantly enhances protections that had been聽built into Safe Harbor. For instance, Privacy Shield requires data controllers to obtain consent聽from Europeans before they share data with third parties, including affirmative, express聽consent to share sensitive data such as health information. Privacy Shield also compels data聽controllers to allow Europeans to access, correct, or delete their transferred data.聽Crucially,聽data controllers will have to require their business partners who receive information about聽Europeans to live up to these principles, as well.

Finally, a raft of new procedural safeguards will make it easier 鈥� and a lot less expensive 鈥� for European consumers to pursue justice when they have been wronged by a participating聽company. For instance, US companies that sign onto Privacy Shield must agree to provide聽independent recourse mechanisms at no cost to the complainant. Should this measure fail,聽individuals can then take the company to binding arbitration 鈥� once again at no cost to the聽individual 鈥� or to court.

Since Privacy Shield鈥檚 debut, in draft form, three months ago, a number of stakeholders in聽Europe have analyzed and critiqued it. Most significantly, Europe鈥檚 data protection watchdogs,聽collectively known as the Article 29 Working Party, welcomed Privacy Shield鈥檚 鈥渟ignificant聽improvements,鈥� while suggesting some clarifications and expressing other continuing聽concerns.

The negotiating parties have spent the past three months enhancing Privacy Shield聽to address the Article 29 Working Party鈥檚 concerns. The resulting improvements include added聽restrictions on the ability of Privacy Shield companies to retain data about EU citizens, and a聽clearer articulation of the extent of the ombudsperson鈥檚 independence.

As I have traveled across Europe over the past months, I have heard various stakeholders聽voice an additional concern. They point out that, because Privacy Shield does not have the聽status of a treaty, a new US administration could water down Privacy Shield鈥檚 protections.

They are correct that Privacy Shield is not a treaty. The commitments of its signatories,聽however, are binding 鈥� on the part of both the US government and companies that voluntarily聽sign up. It is hard to conceive of a US administration that would not eagerly embrace Privacy聽Shield and work hard to implement its highest levels of protection. But if such an anomaly聽occurs, there is a failsafe.

The new framework requires Europeans and Americans to consult at聽least annually on the framework鈥檚 operation. And if the European Commission believes that聽the US is violating its commitments, it is empowered to suspend Privacy聽Shield.

Privacy Shield is not perfect 鈥� no large-scale regulatory framework is, especially not on the聽first pass. But perfection is not what the moment calls for. Instead, we should view Privacy聽Shield as a living framework. As I noted, the US Department of Commerce and EU Commission聽will engage in ongoing consultations about its effectiveness, and about whether the parties are聽living up to their commitments. The European Data Protection Authorities and the FTC聽will also hold continual discussions about enforcement issues under the聽framework.

The ultimate test of Privacy Shield鈥檚 effectiveness will be how well it works in聽practice in the months and years to come.聽As for today, I am confident in saying that the protections provided to European citizens聽under Privacy Shield are 鈥渆ssentially equivalent鈥� to those they enjoy on their own soil.

The final聽decision about Privacy Shield鈥檚 adequacy will be made by the European Court of Justice. I am聽hopeful that the court will provide itself with the means to appreciate the full spectrum of聽protections built into Privacy Shield聽聽as they adjudicate the near-certain challenges to come.

Julie Brill is a聽partner at the Washington law firm Hogan Lovells and is a former聽Commissioner of Federal Trade Commission. Follow her on Twitter聽@JulieSBrill.