The European Commission set a Feb. 28, 2019, deadline for the Trump administration to nominate a key official to address complaints about access to personal data by U.S. authorities, amid growing privacy concerns in Europe.
The decision follows the commission's second annual review of the EU-U.S. Privacy Shield, a set of laws governing transatlantic data transfers. EU lawmakers signed off on the agreement, which was negotiated with input from Trump administration officials, ruling that it provides an "adequate" level of protection for its citizens.
Alphabet Inc.'s Google LLC and Microsoft Corp. are among over 3,850 businesses and organizations certified under the framework, which Brussels said had benefited from a stronger certification process and compliance checks in the past year. First adopted in July 2016, the Privacy Shield was designed to safeguard U.S. companies' transfer of European citizens' personal information across the Atlantic. It replaced the Safe Harbor pact, which the Court of Justice of the European Union rendered unlawful in 2015.
The framework has, however, faced criticism from European lawmakers and privacy watchdogs. Members of the European Parliament earlier this year called for the Privacy Shield's suspension following the Facebook Inc.-Cambridge Analytica LLC data breach, in which as many as 87 million users globally had some of their data improperly shared with third parties.
Facebook's data scandal gave rise to concerns about U.S. companies' compliance with the EU's General Data Protection Regulation, or GDPR, which was enacted in May. Under the legislation, organizations are required to gain consent from all online users before collecting data. They must also notify data protection authorities with 72 hours of becoming aware of a breach. The new measures threaten steep penalties for failure to comply, including fines of €20 million or 4% of annual turnover for the most serious breaches.
European leaders said they want Trump administration officials to identify a permanent "ombudsperson" by the Feb. 28, 2019, deadline.
"We now expect our American partners to nominate the Ombudsperson on a permanent basis, so we can make sure that our EU-US relations in data protection are fully trustworthy," said Andrus Ansip, the European Commission's vice president for the EU's digital single market, in a Dec. 19 statement on the Privacy Shield review. The digital single market is designed to streamline oversight of digital technologies in the EU.
Privacy experts earlier said the Trump administration's failure to comply with the agreement would have severe consequences for transatlantic digital services worth an estimated $70 billion trade surplus for the U.S. in 2015. Uncertainty over the framework would result in increased disruption, mounting legal costs and operational challenges, they said. Microsoft also warned in an SEC filing that changes to the current framework might require "changes in services, business practices, or internal systems that result in increased costs, lower revenue, reduced efficiency, or greater difficulty in competing with foreign-based firms."