A new transatlantic data transfer deal has been announced today between the EU and the US. The new EU-US Privacy Shield will replace the old Safe Harbor agreement, which was invalidated by the European Court of Justice last October, on the grounds that US mass surveillance programs were violating fundamental European privacy rights.
At that point talks to update Safe Harbor had already been going on for several years, ever since the 2013 Snowden revelations disclosed the extent of government agencies’ access to data. However the ECJ strike down of Safe Harbor brought fresh imperative to the process, and the EC set a three month deadline to agree a new deal.
Although the two sides didn’t quite secure a new deal by that deadline, commissioner Vera Jourová said yesterday a deal was close. Evidently very close, with the EC today announcing a new framework has been agreed to govern the flow of data across the atlantic.
Although, it should be noted, no text of the agreement has yet been published — and that process is apparently “some” weeks out, so plenty of questions remain. And some continued uncertainty for US businesses needing to be in compliance with EU law in the meanwhile.
The EC said today:
The EU-US Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.
Specific elements of the new agreement highlighted by the EC are what it dubs “strong obligations” on companies that handle Europeans’ personal data, coupled with “robust enforcement”. The US Department of Commerce will monitor that companies publish their commitments, which the EC said in turn makes them enforceable under US law by the FTC. Companies handling human resources data from Europe will also have to comply with decisions by European DPAs.
It also flags up what it describes as “clear safeguards and transparency obligations” on US government agencies’ access to data, noting that for the first time the US has given the EU written assurances that access will be subject to “clear limitations, safeguards and oversight mechanisms”.
It also notes that the US has “ruled out indiscriminate mass surveillance” on European personal data transferred to the US under the new arrangement — although yesterday Jourová conceded there would be three exceptions where mass surveillance is in fact allowed: if targeted surveillance is not technically or operationally possible, or if they see some “dangerous new trend” that needs more than targeted access.
US agencies’ access to European citizens’ data will be regularly monitored under the new agreement, via an annual joint review process, which will also look at all aspects of the agreement. The review will be conducted by the EC and the US Department of Commerce, with national intelligence experts from the US and European Data Protection Authorities also invited to take part.
On the matter of redress for EU citizens wanting to complain about misuse of their data in the US, the EC says the new arrangement offers “several” possibilities, with companies having deadlines to reply to complaints, and European DPAs able to refer complaints to the Department of Commerce and the FTC. Complaints on possible access to data by national intelligence authorities will be referable to a new Ombudsperson — with the position created as part of the arrangement.
In terms of next steps, the EC said it will prepare a draft “adequacy decision” in the coming weeks — although it still has to convince other parts of the European political machinery to accept this draft (so, as others are arguing, a deal is not really done yet). It added that the US side will need to make the “necessary preparations” to put in place the new framework, monitoring mechanisms and new Ombudsman. Assuming the rest of the European project can be convinced that the Privacy Shield does not contain the same fatal flaws as Safe Harbor.
Business groups, such as the US Chamber of Commerce and the UK CBI, unsurprisingly welcomed the announcement, but others have warned the legal footing here may prove just as flawed as the prior Safe Harbor.
Making an initial statement on the Privacy Shield deal, European privacy campaigner Max Schrems, whose legal action against Facebook ultimately brought down the original Safe Harbor, expressed scepticism the deal goes far enough to stand the test of another legal challenge at the ECJ.
“The Court has explicitly held, that any generalized access to such data violates the fundamental rights of EU citizens. The Commissioner herself has said this form of surveillance continues to take place in the US yesterday. Today there should be some agreement, in whatever form, that ensures that EU data is not used anymore. This will be the sticking point for a new challenge before the Court in respect to national surveillance,” he noted.
Also commenting critically on the announcement, MEP Jan Philipp Albrecht, who was closely involved in the multi-year process to update European data protection regulations which finally yielded agreement last December, dubbed the deal “little more than a reheated serving of the pre-existing Safe Harbor decision” and a “sellout of the fundamental EU right to data protection”. He also suggested it would not pass muster with the ECJ in future.
“The EU Commission’s proposal is an affront to the European Court of Justice, which deemed Safe Harbour illegal, as well as to citizens across Europe, whose rights are undermined by the decision. The proposal foresees no legally binding improvements. Instead, it merely relies on a declaration by the US authorities on their interpretation of the legal situation regarding surveillance by US secret services, as well as the creation of an independent but powerless Ombusman, who would assess citizens’ complaints,” said Albrecht.
“The European Parliament and national data protection authorities must make clear that such a legally dubious declaration will not stand. If this framework is adopted unchanged, it can be expected that member states’ data protection authorities will exercise the new powers granted to them via the European Court ruling to subject any data transfers to additional security measures. It seems clear that this new framework will also be challenged in the European Court of Justice, as it is clear that it does not fulfil the conditions of the court’s ruling.”
And if fresh legal challenges await, as critics suggest, the Privacy Shield is not going to provide businesses with the sought for certainty. Even as it fails to uphold the red lines of European data protection law. So any momentary political point scoring on the part of the EC being able to trumpet ‘a deal’ being reached won’t, in the long run, amount to much if we end up back where we started in just a few years (or sooner).