EU & US “Privacy Shield” Data Transfer Agreement Faces Skeptics In Europe

Earlier this month, American and European officials announced a new framework to ensure the continued flow of data across the Atlantic. This was in response to last October’s Schrems decision by The European Court of Justice invalidating a 15-year-old “Safe Harbor” agreement, in the wake of the Snowden domestic spying revelations.

The court asserted that any data flowing from the EU to the US would potentially be subject to US government surveillance, thus violating Europeans’ privacy rights.

Additional details of the new plan were released today. The new agreement is known as as the “EU–US Privacy Shield,” and while it has been backed by the European Commission, it still requires political approvals in Europe, the debate over which may be contentious.

In a summary of the new framework, The New York Times reported that controls will be imposed on how companies handle transatlantic data. The US has also agreed to “new limits on the powers of the country’s intelligence agencies to gain access to Europeans’ online information when it is transferred to the United States.”

In its press release announcing the Privacy Shield agreement several weeks ago, the European Commission outlined some of the agreement’s new privacy safeguards for Europeans:

• US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.
• The US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms.
• There must be effective protection of EU citizens’ rights: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities.

The Privacy Shield framework must now be ratified by EU members and blessed by domestic European data protection regulators. The overturn of the Safe Harbor agreement created potential chaos for companies doing business across borders, as individual countries’ privacy authorities could have restricted data movement or started imposing new rules on data transfers — such as requiring companies to have servers in each country.

As part of the agreement, there will be “a dedicated new Ombudsperson” role in the US State Department to address complaints from European privacy regulators on behalf of individuals. The framework also sets up “an alternative dispute resolution mechanism to resolve grievances and a joint annual review of the accord,” according to The New York Times.

Privacy advocates in Europe, including the Austrian law student, Max Schrems, who brought the case against Facebook that upended the Safe Harbor agreement, have expressed skepticism that the new framework would pass legal muster. Accordingly, there are indications that it might be challenged in court.

The Schrems decision by The European Court of Justice seemed to turn on the idea that Europeans’ data would potentially be subjected to US government surveillance. It’s unclear if the processes and procedures in the new agreement will be able to satisfy the court that such potential is sufficiently diminished.