The European Commission is racing to rubberstamp its Privacy Shield agreement to allow companies to transfer data to the United States.
Although EU Justice Commissioner Věra Jourová and Vice President Andrus Ansip brokered the agreement with the US Department of Commerce on February 2, the EU executive held off on publishing the text of the deal until 27 days later.
“These strong safeguards enable Europe and America to restore trust in transatlantic data flows,” Jourova said after the Commission published the new agreement today (29 February).
The Privacy Shield agreement will replace the now infamous Safe Harbour deal, which was toppled by the European Court of Justice last October on grounds that surveillance agencies have broad access to EU citizens’ data once it’s transferred to the US.
Max Schrems, the Austrian lawyer whose complaint led to the downfall of Safe Harbour, said the new agreement was like “ten layers of lipstick on a pig”.
Commission officials said they hope the agreement—worth nearly $300 billion in trade commerce—gets the green light from a committee of member states’ representatives during the Dutch Council presidency, which runs until the end of June.
“The schedule until the end of the negotiations isn’t unrealistic, although it does seem that many points can’t be negotiated anymore,” said Marit Hansen, data protection authority for the German state of Schleswig-Holsten.
Hansen’s office is often regarded as the strictest of the notoriously tough German privacy watchdogs.
“But it’s a different question whether the many demands of the Article 29 Working Party were taken on and the Privacy Shield will stand up to the ECJ test,” Hansen added.
A Commission official said the executive will only take national authorities’ recommendations into consideration if they ‘make sense’.
The official warned it would be ‘unwise’ for the group to hold up finalising the agreement until next year, under a new US presidency.
National data protection watchdogs in the Article 29 Working Party will meet in April to issue their non-binding opinion on the Privacy Shield agreement.
If the agreement is changed substantially during the agreement process with member states, it could be sent back to the US Department for Congress for approval, according to one official. But the official said it was unlikely the agreement would be drastically changed during the internal talks.
The European Parliament will not get to approve the agreement. But the Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) will hold a hearing on the Privacy Shield in March.
German Green MEP Jan Philipp Albrecht (Bündnis 90/Die Grünen) called the new agreement a “remarketed version of the pre-existing Safe Harbour decision, offering little more than cosmetic changes”.
Albrecht, a LIBE member, was rapporteur on the EU-wide data protection regulation set to go into effect in 2018.
Dealing with complaints
EU officials called the Privacy Shield agreement a major improvement on the defunct Safe Harbour deal. Under the new agreement, EU citizens will gain new possibilities to file complaints if they suspect their personal data was mishandled.
EU citizens could appeal to national data protection authorities and to the new ombudsman in charge of investigating EU citizens’ privacy complaints within the US State Department. Commission officials announced Catherine Novelli, current undersecretary at the State Department and former vice president at Apple, is slated to take up the ombudsman role.
A cost-free alternative dispute resolution platform will also be set up to help EU citizens settle grievances with companies certified to transfer data under the deal.
Limits to mass surveillance
Critics of the Privacy Shield agreement questioned whether US authorities will substantially limit their monitoring of EU citizens’ data.
A recent Obama administration reform allows for ‘bulk surveillance’ in six cases, including for counterterrorism and cybersecurity purposes.
“There might be access requests for national security purposes, but we believe they are done in a proportionate way,” one Commission official said of the new limitations.
Schrems blasted that claim.
“The US openly confirms that it violates EU fundamental rights in at least six cases. The Commission claims that there is no ‘mass surveillance’ anymore,” Schrems said of the exceptions allowing US authorities to collect data in bulk.
“This is obviously not driven by a rational implementation of the facts, the law and the judgement,” he added.
EU officials stressed they would “dynamically” monitor how companies and the US government uphold the agreement. That will include an annual review carried out by EU and US officials. The Commission can suspend the agreement if US authorities don’t comply and can remove companies that signed up, officials argued.
Alternative ways to transfer data
The new methods for filing complaints will also apply to other means for data transfers, such as so-called binding corporate rules and model contract clauses.
Data protection authorities will issue an opinion on those transfer tools during their meeting in April.
With no overarching scheme data transfers to the US, companies that previously relied on Safe Harbour have warned against knocking down alternative methods as well.
“It’s important that there’s no period where there are no meaningful options available,” said Paul Meller, communications director for tech industry association DigitalEurope.
“While we are convinced that these alternative mechanisms do stand up to the scrutiny, it’s important that their use in the US context is not questioned prior to the Shield being up and running,” he added.
Joe McNamee, executive director of NGO European Digital Rights: "The European Commission has given Europe a lesson on how not to negotiate. This isn't a good deal, it hardly deserves to be called a 'deal' of any kind."
David Martin, senior legal officer at The European Consumer Organisation (BEUC): “We remain highly sceptical that the Privacy Shield can guarantee an adequate level of data protection for EU citizens. Even if it brings some limited improvements, the Privacy Shield does not change the fact that the US and the EU data privacy regimes are too far apart. We must not compromise our fundamental values. The only real long term solution is for the U.S. to adopt a comprehensive system of privacy and data protection that matches the EU’s data protection rules in content and scope."
Wim Nauwelaerts, managing partner at law firm Hunton & Williams in Brussels: “The million dollar question is whether the EU data protection authorities will subscribe to the European Commission's point of view that the US ensures an adequate level of protection for personal data transferred under the new Shield.”
The US-EU Safe Harbour agreement allowed over 4,000 companies to transfer data from the EU to the US - provided the companies guaranteed the data's security abroad. EU law considers data privacy protections to be inadequate in the US. In October 2015, the European Court of Justice (ECJ) ruled Safe Harbour to be invalid on grounds that government surveillance in the US threatens the privacy of EU citizens' data, and that there is no judicial redress for EU citizens whose data is accessed by state surveillance agencies in the US.
Since the ECJ decision, EU and US negotiators have sped up their talks to strike a new data transfer agreement. European data protection authorities from the 28 EU member states met after the ECJ decision, and asked the Commission to come up with a new deal by the end of January 2016. The data protection authorities are tasked with investigating and deciding on privacy complaints in their own member states.
European Commission: text of EU-US Privacy Shield agreement (29 February 2016)