The European Commission (EC) announced that it formally adopted the “Privacy Shield” agreement for allowing U.S. companies to transfer European Union’s citizens data back to the U.S. The agreement has been criticized by many as not being strong enough to protect EU citizens’ privacy rights, and potentially not complying with the Court of Justice of the European Union’s requirements.
Safe Harbor’s Successor
Last year, the Court of Justice of the European Union (CJEU) ruled that the data transferring agreement between the EU and the U.S., called the Safe Harbor agreement, was invalid. The reason for this ruling was because the U.S. didn’t offer privacy protections in its laws that were “essentially equivalent” to the ones offered by EU laws. The Court’s fear, especially in light of Snowden’s revelations, was that EU citizens’ data wouldn’t be as protected on U.S. soil as it is on EU ground.
To avoid too much of a disruption to U.S. businesses in the EU, the European Commission quickly drafted a new agreement that was meant to be more compliant with the CJEU ruling, but also flexible enough to allow U.S. companies to transfer EU citizens’ data back and forth between the two continents.
The new Privacy Shield agreement is based on four principles:
- Privacy reviews by the U.S. Department of Commerce, with sanctions or removal from the list of companies that are allowed to transfer data from the EU if they don’t comply with the privacy requirements in the agreement.
- A “guarantee” that the U.S. government wouldn’t use EU data that is transferred to the U.S. for mass spying, and a redress mechanism for EU citizens who think intelligence agencies have been abusing access to this data.
- More effective protection of individual rights: EU citizens will benefit from multiple ways in which to dispute the misuse of their data by parties such as the company collecting the data and also the U.S. government.
- Annual joint review by the European Commission, the U.S. Department of Commerce, as well as representatives of U.S. intelligence agencies and European Data Protection Authorities.
Compared to the Safe Harbor agreement, the new agreement seems like a significant improvement in every way. However, it still seems quite far from perfect, and it may not even comply with the “essential equivalent” privacy protection requirement demanded by the CJEU. That means if the Privacy Shield reaches the CJEU, it may also be ruled invalid.
The first principle adopted by the new agreement also seems the most problematic. Because we’re talking about U.S. companies having to obey EU privacy laws, it makes little sense to allow the U.S. Department of Commerce, generally a pro-U.S. business interests agency, to review and validate U.S. companies that need to comply with the Privacy Shield agreement. It would’ve made much more sense if it was an EU agency directly evaluating the companies for compliance, because it’s the data of EU citizens that is at stake here.
The second principle, which is based on some restrictions on using data for mass surveillance purposes by the U.S. government, seems to be mostly based on Presidential Policy Directive 28, passed by President Obama in 2014, and which could be changed or removed by the next president.
Even with the PPD-28 in place, and other administrative or even legal policies to restrict mass surveillance of EU citizens, the restrictions seem to be only “prioritized,” but intelligence agencies can still use exceptions to bypass these restrictions if they believe there is a national security need to do it. We also know that the intelligence agencies often interpret certain legal terms to mean something much broader than perhaps most people would expect. Therefore, these guarantees for restricting mass surveillance of EU data may not mean much in practice.
The U.S. recently passed a law giving EU citizens judicial redress when they believe they’ve been illegally spied upon by U.S. intelligence agencies. This could help if U.S. intelligence agencies start abusing EU citizens’ data that gets transferred to the U.S. by American companies.
Perhaps the best part of the Privacy Shield is that its effectiveness in protecting EU citizens’ privacy rights will be reviewed annually. The report will be made public and will also be presented to the European Parliament. This could mean that it won’t take another 15 years before the agreement in its existing form is shut down if found inappropriate, and improvements to it could be made along the way. It could also serve as a protection against a future U.S. president removing the privacy protections on EU citizens’ data. If that happens, the EU could more easily revoke the Privacy Shield agreement, at least in theory.
Because it’s the U.S. Department of Commerce that will be “operating” the Privacy Shield, American companies will be able to certify with it starting August 1, after the framework has been published in the public Federal Register.