When the Court of Justice of the European Union (CJEU) ruled that the Safe Harbor agreement between the EU and the U.S. was invalid, it did it because the agreement didn’t do anything to protect EU citizens against U.S. mass surveillance. The European Commission then scrambled to create the new agreement, called “Privacy Shield,” meant to significantly improve privacy protections for citizens of EU member states.
However, many criticized it since the beginning, including Maximilian Schrems, whose lawsuit ultimately led to the demise of the Safe Harbor agreement, for not having enough teeth to ensure indiscriminate mass surveillance (illegal under the Charter of Fundamental Rights of the European Union) doesn’t happen anymore.
"Privacy Shield" Litmus Test
One of the main criticisms of the Privacy Shield agreement is that it doesn’t even make European authorities the ones responsible for ensuring EU citizens’ rights are protected against privacy violations by the American companies or government. It’s the U.S. Department of Commerce, an agency in charge of helping American business interests, that needs to audit the U.S. companies for violating EU laws. If that seems like it doesn’t make much sense to you, it’s because it doesn’t. It’s a little like asking the fox to guard the hen house.
Another criticism is that it’s unclear just exactly how it would protect against mass surveillance. European Union citizens mainly have to trust that the European Commission (EC) would act accordingly if it finds any evidence that the U.S. wasn’t keeping its word. However, it’s also not clear how the EC would know if the U.S. government were illegally spying on EU citizens, other than trusting the word of the U.S. intelligence agencies.
The recent scandal accusing Yahoo of allowing U.S. intelligence agencies to scan through all of its users’ emails, including those of EU citizens, could be the litmus test to decide whether the Privacy Shield agreement is effective at all when it comes to protecting EU citizens against U.S. mass surveillance (its main purpose).
Mechanisms For Redress Against Yahoo/NSA Spying
The Privacy Shield brought two main improvements over the Safe Harbor agreement. The first is the annual EU review of how effective the Privacy Shield is in doing its job of protecting EU citizens’ interests, with the ability to modify the agreement in new negotiations. The second gives EU citizens the ability to sue the U.S. government if they’ve been spied upon, enabled by the Judicial Redress Act, which passed this year in the United States.
However, the chances are that unless there are some egregious violations, the EU won’t engage in new rounds of negotiations with the U.S. government to make the Privacy Shield agreement stronger. The good news, or perhaps the bad news (depending on how you look at it), is that the NSA spying on all Yahoo users, including all EU users, should activate new negotiation rounds.
However, this will depend largely on the public, and perhaps the European Parliament, putting enough pressure on the European Commission (the executive body) to restart the negotiations, and do it right this time.
The Judicial Redress Act should also allow Yahoo users that are EU citizens to sue the U.S. government over indiscriminate surveillance of their accounts, but it remains to be seen if any European Yahoo user is willing to start such a trial.
Yahoo Called Accusations “Misleading,” Not False
Yahoo hasn’t said the accusations of allowing U.S. intelligence agencies to search across its whole user emails database are false, just that the initial Reuters article was “misleading,” without giving any specifics for why that is.
Another recent report backed by at least two sources also says that Yahoo allowed a “rootkit-like” backdoor on its systems. If true, this may have given the NSA or FBI much more free reign on Yahoo’s systems than the initial Reuters article implied (just the ability to search for certain words across the email database). The rootkit-like backdoor was also reportedly quite "buggy," which means other attackers could have taken advantage of it to enter Yahoo's systems.
This was one of the reasons why we wanted Yahoo to confirm whether NSA's program was actually installed in 2015, or in 2014 when the recently announced data breach supposedly happened. The data breach may have happened in 2015 after Yahoo installed the backdoor, but the company said it happened in 2014 to avoid having anyone make a connection between the two. However, until we know more information about the data breach as well, this is just speculation.
Whether it was a scanning tool that only allowed searches across all emails, or a rootkit malware with much more expansive capabilities, either method seems to allow indiscriminate surveillance of all Yahoo users, including the European ones. If the Privacy Shield agreement doesn’t protect against this then it may be time to admit the agreement is ineffective for its purpose of protecting EU citizens’ privacy, and it still requires significant improvements.
We've contacted the European Commission and several national Data Protection authorities for comments on this issue.