Last year, the Court of Justice of the European Union (CJEU) ruled that the “Safe Harbor” agreement between the U.S. and EU, which was supposed to protect EU citizens' data as it gets transferred to U.S. servers, was invalid.
The Court made that decision taking into account Snowden's revelations of mass surveillance by the NSA on EU citizens, as well as other countries. The CJEU said that such surveillance violates the EU's Fundamental Charter of Rights, and that if EU citizens' data is to be transferred across borders, it must preserve privacy protections that are “essentially equivalent” with the ones in the EU.
For the most part, the U.S. government doesn’t afford even its own citizens such strong protections. For instance, until very recently, the U.S. government was allowed for more than a decade to collect phone records of virtually all Americans in bulk. This was limited somewhat with the passing of the USA Freedom Act, but there’s still the open question of how the U.S. government taps into the country’s Internet fiber cables.
Also, only recently the U.S. government passed CISA, the new “cyber-Patriot Act," as an amendment in the budget omnibus bill. CISA has virtually no privacy protections, and the data can be collected in bulk by the NSA either directly or through the Department of Homeland Security (DHS).
Despite the U.S. government’s insistence that it can and should continue collecting all sorts of information in bulk about its own citizens, it has agreed to give judicial redress to EU citizens who believe they have been harmed by U.S. surveillance. This was an important part of the negotiation with the European Commission.
As part of this, the companies, at which the privacy invasion complaints are directed, will have to respect certain deadlines for replies. The national Data Protection Authorities (DPAs) can work with the U.S. Federal Trade Commission (FTC) to resolve disputes. When the the complaints are directed at the NSA, a new ombudsperson will be created, which will be an independent mediator between the user and the U.S. and EU governments. It’s not clear when or in what situation this could go to court.
Small Oversight Improvement
The old Safe Harbor was often criticized for not including strong oversight for companies, and also because companies were allowed to essentially self-certify that they provide adequate privacy for EU citizens. For obvious reasons, this should have never been considered acceptable.
This situation seems to have been somewhat improved in the new agreement, as now the companies will be monitored more closely by the U.S. Department of Commerce and the FTC. The problem with this is that these two U.S. agencies will be responsible for ensuring that the U.S. companies follow EU privacy laws. It’s doubtful that they have the right incentives or tools to find every single violation, though, so we’ll have to see just how well this will work in practice.
Only when U.S. companies handle human resources data will they have to comply with decisions by European DPAs.
Somewhat Increased Transparency
Although with the Safe Harbor agreement, the EU just seemed to assume that U.S. companies and the U.S. government are respecting the protections included in it, the new “Privacy Shield” will account for annual joint reviews to evaluate how well the agreement is working. The reviews will also include the issue of national security access.
The U.S. government also gave the European Commission written assurance that it will only give law enforcement and intelligence agencies access to EU citizens data under “clear limitations, safeguards and oversight mechanisms.”
However, the issue here is that we don’t know what exactly that means. The U.S. government could be referring to the same old “oversight” it claimed to have before for the NSA or other law enforcement agencies, which isn’t as strong as many would like it to be. Even if that oversight becomes stronger, it will be through White House policies rather than through laws. That means the agreement is based on shaky premises here that may not be respected very well.
According to the European Digital Rights (EDRi) organization, which is sort of a European EFF, members of the EU Parliament have criticized the U.S. for not taking the negotiations seriously. EDRi agrees with that assessment, considering the U.S. hasn’t passed new laws to ensure strong privacy protections for both EU and American citizens; in fact it went the opposite way, passing laws such as CISA. The EU has to rely on written promises from the U.S. president that the U.S. government isn’t abusing its mass surveillance power.
“The emperor is trying on a new set of clothes. Today’s announcement means that European citizens and businesses on both sides of the Atlantic face an extended period of uncertainty while waiting for this new stop-gap solution to fail,” said Joe McNamee, Executive Director of European Digital Rights.
Edward Snowden also seems to agree with the conclusion that the new agreement is much weaker than expected:
The biggest issue at the heart of such an agreement between EU and U.S. is that the U.S. would have to guarantee “essentially equivalent” privacy protections for EU citizens when European data is transferred to the U.S. if it wants this agreement to withstand further scrutiny from the CJEU. Because the U.S. government is unwilling to pass strong privacy laws to guarantee that, then it’s highly uncertain whether the new “Privacy Shield” agreement can survive another lawsuit.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.