More than 2,000 U.S. companies would be forced to stop handling EU residents' data, at least temporarily, if the EU scraps Privacy Shield.

Privacy Shield, the year-old agreement that allows U.S. companies to handle the personal data of people living in the European Union, may be in jeopardy as Congress debates an extension of a controversial surveillance law.

Section 702 of the Foreign Intelligence Surveillance Act, which allows the National Security Agency (NSA) to run foreign surveillance programs such as Prism and Upstream, expires at the end of the year. Many privacy advocates and European lawmakers are pushing for the EU to back out of Privacy Shield if U.S. lawmakers don’t build in more protections for Europeans.

If the EU scraps Privacy Shield, it would cause major headaches for U.S. Internet companies and other businesses that rely on the agreement to process EU customers’ data. More than 2,000 U.S. companies would be forced to stop handling EU residents’ data, at least temporarily.

“The Privacy Shield, and the data transfer mechanism it offers to U.S. companies, is enormously important in the global economy,” says Lisa Sotto, a privacy and cybersecurity lawyer at Hunton & Williams in New York. “To pull the rug out from under these companies…would be a disaster for the global economy.”

EU data protection in question

Abandonment of Privacy Shield would suggest the EU has "little faith" in the ability of U.S. companies to live up to European privacy expectations, Sotto says.

Congress is almost certain to renew Section 702 in some form. U.S. officials have argued that the law is essential to protect the country against terrorism. But much of the debate among U.S. lawmakers so far has been on better protections for their constituents, not the privacy of people living in other countries.

Despite support for Privacy Shield among U.S. companies, the agreement’s future is not assured. Several European lawmakers have questioned whether Privacy Shield should continue if the NSA continues the warrantless, widespread surveillance authorized under FISA Section 702, and privacy groups have filed two legal complaints in Europe targeting the agreement.

Read the latest on HPE's server security strategy by Moor Insights. Get the white paper

In April, the European Commission adopted a non-binding resolution raising concerns about NSA surveillance and other issues. Europeans object to the “lack of concrete assurances of not conducting mass and indiscriminate collection of personal data,” the resolution said. The EU begins a review of Privacy Shield this month.

It’s worth remembering that Privacy Shield replaced the U.S. and EU Safe Harbor agreement, which the European Court of Justice ruled invalid in October 2015, largely in reaction to U.S. surveillance activities. The EU requires these agreements to protect the privacy of its citizens when their data is transferred to countries that have, in the eyes of Europe, inadequate privacy protection laws.

Now, Congress is potentially facing a repeat scenario. “It is operationally necessary for Congress to reform Section 702 for Privacy Shield to survive,” says Amie Stepanovich, U.S. policy manager at Access Now, a digital rights group pushing for changes in U.S. surveillance programs. “Without reform, it is hard to see how Privacy Shield will be able to withstand the legal challenges it is already facing.”

What this means for U.S. companies

U.S. lawmakers need to recognize this need for reform, or “they'll be found with their heads in the figurative sandbox,” Stepanovich says.

The European court ruling that invalidated Safe Harbor also casts doubt on Privacy Shield unless Congress makes “fundamental changes” to surveillance programs, adds Neema Singh Guliani, a legislative counsel with the American Civil Liberties Union. The U.S. government also made some commitments during Privacy Shield negotiations, including a strong U.S. Privacy and Civil Liberties Oversight Board, but that panel has all but disbanded during the first eight months of President Donald Trump’s administration, she notes.

If the U.S. government doesn’t live up to its promises, Privacy Shield “is not on terribly solid ground,” adds Kolvin Stone, a tech-focused partner with the Orrick law firm in London. “There’s already enough of a body of opinion in Europe that the agreement shouldn’t have been made in its current form.”

For now, more than 2,000 U.S. businesses use Privacy Shield. While companies have a couple of alternative mechanisms to transfer EU data, those methods are either “extremely” expensive or time-consuming, Sotto says. Conducting legal data transfers is already difficult and will get even harder when the EU’s new General Data Protection Regulation (GDPR) privacy legislation goes into effect in May, she notes. GDPR will standardize and, in some countries, increase the potential fines for violating EU privacy rules.

For example, model clauses, an alternative method, are agreements negotiated between individual data exporters and individual data importers. Creating binding corporate rules, a second alternative, is a difficult process that fewer than 100 of the largest U.S. companies have gone through, Sotto notes.

The model clauses and binding corporate rules transfer methods are facing court challenges, as is Privacy Shield itself, Stepanovich says.

Companies can also ask for the consumer’s consent to handle their data, but that’s a one-to-one agreement, and it doesn’t work with many types of online data collection schemes.

For many web-focused companies with multiple ways to interact with consumers, including several social media channels, the alternatives to Privacy Shield aren’t sufficient, Stone says. “It’s very hard to rely on consent when you’re doing systematic transfers.”

In other cases, companies could choose to build data centers in the EU for handling customer data there, but if a U.S. employee accesses the information, that may constitute a data transfer, Stone says.

If the EU scraps Privacy Shield, “a new arrangement would have to be constructed,” Stepanovich says. “Any lasting mechanism will also require substantive reform of U.S. surveillance law to protect the human rights of people outside the U.S.”

EU data protection basics: Lessons for leaders