A new transatlantic data transfer deal has been announced this week between the EU and the US. The new ‘Privacy Shield’ will replace the Safe Harbor agreement which was recently invalidated by the ECJ on the grounds that US surveillance programs were violating fundamental European privacy rights protected by the EU Charter, the European Convention on Human Rights and the Lisbon Treaty.
Although the details have yet to be released, it is believed that significant features of the Privacy Shield include:
• Clear safeguards and transparency obligations on all US government access to personal data;
• An annual joint review of the framework, including national security access, conducted by the EU Commission and US Department of Commerce;
• Heightened responsibilities to be placed on US organisations (which data originating from the EU) in order to protect the personal data of European citizens;
• Effective protection of EU citizens’ privacy rights with options for remedy to be made available;
• The setting-up of an independent US Ombudsman to deal with complaints of possible access by US national intelligence bodies.
The new agreement is a positive sign for organisations which export personal data from Europe to the US and other jurisdictions. The urgency and speed evidenced in finding an acceptable arrangement since Safe Harbor was struck down last October is a clear indication that global superpowers accept the vital importance of data flows to and from the EU, and are prepared to act in a transparent and forward-thinking manner.
Věra Jourová, European Justice Commissioner, stated this week that “For the first time ever, the US has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.” She said the newly-agreed deal is greatly improved over the now defunct Safe Harbor agreement, and offers “robust and significant improvements” as well as “detailed assurances” on safeguards and limitations of US surveillance programs. Approximately 4,500 companies were availing of Safe Harbour when it was struck down by the ECJ last October.
Nevertheless, while the agreement is a hopeful sign that Europe and the US are determined to find a solution for transatlantic data transfers, the proposed EU-US Privacy Shield may still face hurdles in being implemented and surviving legal challenges. The agreement is a first step in a no doubt complicated process which will test the new framework’s ability to withstand a combination of legal and human rights-based challenges. Already, there is a strong scepticism that the new all-encompassing deal is doomed, with privacy campaigner Max Schrems publicly stating that (with regard to EU-US data transfers) a sector-specific approach would be preferable and that ‘Safe Harbor 2.0’ will fail to meet the requirements of the European Courts (http://arstechnica.co.uk/tech-policy/2016/02/interview-safe-harbour-2-0-will-lose-again-argues-max-schrems/). MEP Jan Philipp Albrecht also labelled the deal as “little more than a reheated serving of the pre-existing Safe Harbor decision” and a “sell-out of the fundamental EU right to data protection”. He also suggested it would not be approved by the ECJ in inevitable future test cases.
At the heart of the problem is that the new deal appears to avoid confronting the inherent US policy of safeguarding national security at the expense of every other fundamental right, including the right to privacy – a policy which could be further expanded in the wake of future terrorist attacks or a change to a Republican president in the White House. Europe on the other hand, as noted above, places the right to privacy as a core fundamental (though not absolute) right which is vigorously protected by the European Courts. Thrown into this unstable mix is global commerce which now relies heavily on data sharing and data-based industry. As such, whether this new agreement can reasonably satisfy each of these opposing constituent elements, particularly on a sustainable, long-term basis, remains to be seen.