The EU-US data deal that isn't

The European Commission is broadly relying on promises from the US authorities that they will protect the fundamental rights of EU citizens on a data transfer deal that has no legal text.

Details of how the new EU US Privacy Shield will work in practice remain vague as threats emerge of a possible legal challenge in the European Court of Justice (ECJ) in Luxembourg.

The deal, announced after two years of talks, replaces a loophole-riddled Safe Harbour agreement that was declared invalid by the EJC last October following media revelations of a US-led global digital dragnet.

Some 4,000 US firms had relied on Safe Harbour for 15 years, with hundreds having made false claims they adhered to the pact.

It will take weeks before the new deal launches, meaning the companies will now have to sign up to other transfer regimes or face possible fines.

The chair of the EU's main privacy regulatory body, the article 29 working party, Isabelle Falque-Pierrotin, told reporters in Brussels on Wednesday (3 February) it was unable to give any preliminary assessment of Privacy Shield.

Deal...what deal?

The regulatory body had given in October the EU and US negotiators a grace period extending to the end of January to finalise a new agreement, against a backdrop of potential "collective enforcement" action against US firms should its deadline be missed.

And while both sides announced the pact on Tuesday (2 February), it remains based on an "exchange of letters" akin to a handshake.

Falque-Pierrotin, who has since backed down on the enforcement threats, said she did not "know exactly what it [Privacy Shield] covers and what is the legal 'bindingness'".

Falque-Pierrotin wants the paperwork on Privacy Shield by the end of February to study its content and legal strength, with a final assessment due sometime at the end of March.

The probe will also determine if other transfer regimes can still be used in light of the new agreement, which are also riddled with problems.

But despite the issues, Falque-Pierrotin said the other transfer regimes could be used "until we have conducted and finalised the assessment of the new arrangement".

EU data regulators say Shield must respond to the wider concerns on the international transfer of personal data raised by the ECJ judgment.

Similar concerns were highlighted by the European Parliament.

British centre-left MEP Claude Moraes, who chairs the civil liberties committee, said the new pact "has too much in common with the previous Safe Harbour decision".

Substandard US laws

Past agreements often saw EU negotiators cave in to US demands on things like granting the Americans access to financial transaction data and allowing them to store airline passenger records for 15 years.

But the EU court's decision gave commission negotiators an added boost in talks and increased the hope amongst data privacy campaigners it would seal a deal that better protected privacy rights.

Despite moves by the US administration to prevent mass surveillance and boost privacy rules, its current laws remain substandard for EU data regulators.

"We still have concerns of the US legal framework", said Falque-Pierrotin.

One of the remaining issues is how to establish clear rules on data processing. Another is how to determine whether US intelligence access to personal data is necessary and proportionate.

She called for independent oversight of US intelligence and the ability for EU citizens to defend their rights.

"These four essential guarantees constitute a kind of European standard," she said.

She noted the new Privacy Shield may alleviate some those concerns but only once a complete analysis has been made by the end of March.