THE EUROPEAN Union and America have reached a deal on data protection. The “EU-US Privacy Shield” allows companies to store Europeans’ personal data on American computers. This ends a three-month hiatus since the European Court of Justice struck down the previous agreement, “Safe Harbour”, on the grounds that it gave insufficient protection against snooping by American spy agencies. Failure to reach a deal could have sparked a damaging legal spat, in which some European national data protection agencies could have ruled illegal all transfers of data across the Atlantic.
A transatlantic gulf separates ideas about data privacy: EU law sees it as a cherished human right; in America, it is more about consumer protection. Moreover, America’s National Security Agency (NSA)—the biggest and most powerful electronic-intelligence agency in the world—sparks fears in Europe of untrammelled snooping. The EU has no intelligence agencies of its own—so the tradeoffs between security and privacy which exist at national levels (where spymasters cooperate gladly and gratefully with the NSA) are invisible. Caught in the middle are the internet and technology companies: big ones could set up Europe-only data centres; small ones might find that doing business across the Atlantic was just too much trouble.
Following the revelations of the NSA’s reach by Edward Snowden, an intelligence contractor who fled to Moscow, America changed its approach. Barack Obama announced measures in January 2014 which for the first time gave foreigners’ data some legal protection. But the new deal involves some more compromises. America will establish a data ombudsman. Europeans will have access to judicial redress. And the deal will be reviewed every year. The EU commission and American negotiators are still working on other details: the announcement on February 2nd marks a political agreement, not a fully-fledged legal one.
Will that be enough? European privacy activists are derisive about the new arrangement. They do not believe that an American government agency which operates in secret can be trusted to obey any rules. What is the point in Europeans having judicial redress when they will not know if their data has been spied on? It is likely that the new deal will be tested in the European Court of Justice. But if the European Commission tells the court that American privacy protection is now adequate, it will be a lot harder for judges to rule otherwise. The transatlantic data flows, and those whose jobs, profits and deals depend on them, look a lot safer.