The European Commission has announced that a new agreement has been reached between the US and the EU concerning the transfer of personal data from Europe to the US. The previous treaty, known as Safe Harbor, was overturned by the European Court of Justice(ECJ) in October of last year. The case was filed by Austrian law student Max Schrems against Facebook, who he accused of forwarding his personal information to the US to aid NSA spying. The ECJ ultimately found that the deal inadequately protected the privacy of European citizens and was not in compliance with EU privacy protection laws.
Companies like Facebook and Google pressured politicians in the US and the EU to quickly negotiate a new deal, claiming that their businesses depended on routine transfers of data between the continents. In just a few months a new agreement has been reached. Known as the EU-US Privacy Shield, the Commission claims this new deal addresses all the issues raised by the ECJ concerning the previous treaty. According to the Commissions press release the points in the new agreement are as follows:
- Strong obligations on companies handling Europeans' personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
- Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
- Effective protection of EU citizens' rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
One of the key points in the ECJ's ruling was that if an EU citizen has their privacy violated by American intelligence agencies like the NSA, there is no way for them to seek redress through the courts. It would seem the third bullet-point is aimed at addressing that, as it covers possibilities of redress. There seems to be quite a bit in there about seeking redress against companies, but for intelligence agencies only the final sentence unambiguously deals with that concern. It also mentions an alternative dispute resolution, but it's not clear if that deals with intelligence agencies or only the private companies, nor is it even clear what alternative dispute resolution is or how it works. Until the full text of the deal is known, it won't really be clear if this alternative dispute resolution provides the judicial protection that the ECJ called for in its ruling.
Do you think the new deal will adequately protect the privacy of EU citizens? Leave your comments below.