The EU and USA have reached an agreement on rules that the US government and US business must follow when “requesting or handling the data” of EU citizens. The agreement is agreed in principle while the regulations have yet to be written. The old agreement, called Safe Harbor, was ruled unconstitutional last year by the European Court of Justice. The new agreement is called the Privacy Shield. The new law gives the U.S. Department of Commerce and American Federal Trade Commission the responsibility to make sure that American companies comply with European privacy laws. Obviously the American agencies are going to be more effective than Europeans ones at bringing sanctions against American companies since the regulators and regulated are in the same country. As for what to do when the US government does not follow the rules, of course no one can punish them for doing that. The understanding is that will simply not continue with indiscriminate spying as hey have in the past. They will obtain a warrant and otherwise following the rules set down in both countries when the target is a European person. In addition, the agreement says that Europeans will be given “redress” for violations. That means the EU citizens whose privacy has been violated can appeal to the FTC or Department of Commerce who can levy fines against the offending business. “Violating privacy” here means not following the rules, which are not all written down yet. The outline simply says, “U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.”
Regarding the NSA and other American agencies, the EU Commissioner said, “The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement.” He also said, “In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans.” Obviously the second statement is false, given the Edward Snowden revelation, unless he meant that “in the future” they will not do that. But being a diplomat, he had to be diplomatic. The EU outlook on personal privacy is much different that the American view.
In the freewheeling capitalist US, tech companies have for a long time been vacuuming up private data of anyone who uses Facebook, reads The New York Times, buys items online, or whatever. There is some hypocrisy here as the same tech companies who cried foul over NSA wiretapping are recording every facet of our private lives and using it for advertising purposes. The only people who have complained about that, like a few rather impotent US Senators, do not carry sufficient weight to overcome the tech lobby. Plus Americans believe that government should not meddle with business too much. So no law has been passed prohibiting that.
But Europe is different. Nazi and fascist rule in Spain, Germany, and Italy have left the Europeans leery of government tracking its citizens, and certainly not business. And then there is centuries of custom and tradition.
For several years the Europeans have been writing privacy rules the urgency of which increased in the wake of the Snowden revelations. Plus the EU courts also threw out their own government surveillance laws in Germany, Ireland, The Netherlands, and elsewhere. The European Parliament already passed tough privacy laws despite heavy lobbying from Google and other tech titans. But the EU parliament is just one law-making body. There are several steps to follow to make that into actual law, none of which have gotten very far.
While politicians dither, European courts have moved more quickly. The European Court for Justice two years ago famously required Google to remove from its search results the case of a man whose bankruptcy from years ago was still listed on the internet. That violated the French concept of the “right to forget.” That means once someone has paid their debts - or in the case of criminals, their debt to society - they should have a clean slate and not be burdened with a label like “bankrupt” or “convict” for the rest of their lives.
This agreement will let the American tech companies sigh a breath of relief that more onerous privacy rules have not been put in place, at least not yet. The privacy regulations passed by the EU Parliament would have required that data on EU citizens be kept on EU soil. It also would have allowed reckless teenagers to delete reckless Tweets, sexting messages, and so forth once they grew older and realized how reckless posting that was. That of course is difficult to do when you have redundant data centers replicating data around the world. And you cannot delete a Tweet or Facebook post without deleting all the other comments and Tweets connected to that. That would have complicated database infrastructure and coding too. It would make for some messy code, if it was necessary to, for example, write logic to store records from, say, Person A in one country and records from Person B in another.