By Mark Scott, New York Times

Only two months after the European Union’s top policymakers agreed to a hard-won data-sharing pact with U.S. officials, the bloc’s national privacy regulators said Wednesday that the deal did not go far enough to safeguard the personal information of Internet users in Europe.

The agreement, the so-called EU-U.S. Privacy Shield (pdf), which would allow companies to continue sending personal data back and forth across the Atlantic, is still widely expected to be ratified by early summer. But by sounding the alarm over the current deal, national privacy watchdogs from France, Germany and other EU member states have served notice that U.S. companies like Google, Facebook and Amazon could face protracted country-by-country legal battles.

The regulators say they worry that companies could misuse data, including information from search engine queries and social media posts. They also say they fear that U.S. law enforcement and intelligence agencies might gain access to European citizens’ personal information without sufficient safeguards in place.

“From the outside, it must look like Europe can’t speak with one voice on privacy,” said Patrick van Eecke, a data protection lawyer at DLA Piper in Brussels. “This is becoming kind of a circus.”

The stance taken by the regulators — which have the power to investigate and, in some cases, to fine companies that have broken privacy rules in the region — represents a major setback for European and U.S. negotiators who had spent years hammering out the deal.

And the protest from the regulators signals that they could open cases and levy fines on companies that rely on moving data such as employees’ financial information or social media posts across the Atlantic.

As part of their announcement Wednesday, European national privacy regulators said the data-transfer agreement was an improvement on previous rules. But they added that they remained concerned over U.S. intelligence agencies’ seemingly indiscriminate access to citizens’ personal data when it is transferred to the United States.

That access, according to the privacy watchdogs, is not subject to protections that match those currently offered in Europe. The regulators also said that new legal mechanisms to allow Europeans to monitor how their data is used in the United States needed to be strengthened.

“We believe there’s still work to do,” Isabelle Falque-Pierrotin, France’s data protection chief, who also heads a pan-European privacy regulator, said Wednesday. “We need to ensure that protections of the Privacy Shield are indeed essentially equivalent to what is available in Europe.”

Falque-Pierrotin called on the European Commission, the executive arm of the European Union that negotiated the data-transfer pact, to make further changes to the deal to meet the regulators’ concerns.

Those included fears that the indiscriminate bulk collection of Europeans’ data by U.S. and European intelligence agencies failed to comply with the region’s data protection rules. The privacy agencies also said the independence of a U.S. ombudsman reviewing European data protection complaints had to be strengthened.

Vera Jourova, the European justice commissioner, said in a statement Wednesday that she would try to incorporate the regulators’ views into the final Privacy Shield pact, though she did not say which of the proposals would be included.

But Jourova also emphasized that attention should now turn to getting European countries’ approval for the data-transfer agreement by next month.

“I count on data protection authorities to help ensure that the EU-U.S. Privacy Shield works well in practice,” she said.

European privacy campaigners, including Max Schrems, an Austrian law student whose case against Facebook led the region’s highest court to invalidate the previous trans-Atlantic data-sharing agreement, the so-called Safe Harbor pact, have called for greater restrictions on how companies and U.S. agencies gain access to users’ digital information.

Some are also preparing legal challenges to the Privacy Shield deal, saying that it failed to uphold Europe’s tough privacy rules, which are viewed as being on a par with other fundamental rights, like freedom of expression.

U.S. officials contend that new oversight mechanisms — including an ombudsman in the State Department to handle European data queries — sufficiently protect privacy. They also say that U.S. safeguards over how national intelligence agencies gain access to personal data go beyond what is available in many countries in the European Union.

“The U.S. has a different structure than Europe, but both systems offer robust privacy protection,” Penny Pritzker, the U.S. commerce secretary who led the U.S. team in negotiating to revamp the data-transfer agreement, said in a recent interview.

Despite Europe’s national regulators raising concerns over Privacy Shield, legal experts and policymakers still expect the agreement to be approved by European countries by early summer.

That is because the European Commission has the sole power to agree to the new rules, and because some countries, particularly the likes of Britain and Ireland, where many U.S. technology companies have headquarters, have given their support to the trans-Atlantic deal.

It remains unclear how the European Commission will alter Privacy Shield to answer national regulators’ concerns, though it is unlikely that European officials will reopen negotiations with their U.S. counterparts.

But Europe’s privacy regulators — which will soon gain the right to fine companies up to 4 percent of their global revenue if they are found to have broken local data protection laws — may still not be satisfied with any changes to the data-transfer agreement, increasing uncertainty over how some of the world’s largest companies will handle digital information.

“No national regulator wants to put companies in a legal limbo,” said Alexander Whalen, a senior policy manager at Digital Europe, an industry body whose members include Google and Microsoft. “We’re now in a waiting game.”

To Learn More:

Trade Groups Warn that U.S./Europe Data Transfer Rift, Triggered by U.S. Spying, Could Have Dire Economic Impact (by Julia Fioretti and Dustin Volz, Reuters)

European Court Cites Privacy Concerns in Blocking Transatlantic Online Data Flow (by Noel Brinkerhoff, AllGov)

Growing Anxiety over U.S. Technology Seen in Europe’s Call for Breakup of Google (by Noel Brinkerhoff, AllGov)

Obama Administration Criticizes EU Plan to Avoid NSA Data Surveillance as a Violation of Trade Agreement (by Noel Brinkerhoff, AllGov)

NSA Revelations Prompt EU Call for Shift Away from U.S. Internet Governance (by Noel Brinkerhoff, AllGov)