The replacement for the EU-US Safe Harbour agreement that was ruled unlawful by a European court last year may well fail the same legal tests as its predecessor. The new agreement, called Privacy Shield, seems to be little more than a new name strapped onto what are largely the same data sharing protections, or lack of them, contained in Safe Harbour.
Safe Harbour dated from 2000 and allowed US and European companies to exchange data without officially conforming to the relatively strict requirements of European data protection legislation. The European Court of Justice has ruled it to be unlawful following a challenge brought against Facebook – but also in the light of Edward Snowden’s revelations about US government mass surveillance programmes. Safe Harbour provided firms with considerable leeway – considered a box-ticking exercise – with little if any real protection for individuals.
While mass surveillance is a concern, it is difficult to police due to the nature of national security as a secretive business with very little transparency or public accountability. But the terms under which firms do business is certainly within the realms of oversight.
Now the European Commission has announced an “agreement in principle” on the new EU-US Privacy Shield. The full text of the proposed agreement has not yet been made available, but the wording of the European Commission and US Federal Trade Commission announcements reveals a number of problems.
War of (empty) words
FTC Chairwoman Edith Ramirez said:
Under the agreement … the Federal Trade Commission will continue to prioritise enforcement of the framework… We will continue to work closely with our European partners to ensure consumer privacy is protected on both sides of the Atlantic.
But the FTC’s own assessment makes it clear that enforcement was not a major priority under Safe Harbour. Only latterly were some of the most high-profile data controllers such as Google, Facebook and MySpace fined for their breaches. Several studies have suggested that enforcement had been very lax indeed.
From the European side, EU commissioner Vĕra Jourová used careful wording to imply stronger protections for EU citizens’ privacy without any concrete provisions:
The new arrangement will provide stronger obligations on companies in the US to protect the personal data of Europeans.
Of course, without any clear statement of what those obligations are or how they will be enforced, these words have an empty ring to them. Talk of “stronger monitoring and enforcement” is meaningless unless there are penalties associated with any breaches.
Little has changed
Three provisions are outlined. Where, under US law, public authorities can access personal data transferred under the new arrangement they will be subject to clear conditions, limitations and oversight. There will be the “possibility” of raising any complaint in this context with an ombudsman. And there will be an annual joint review of the implementation of the new arrangements. But while this will involve representation from national security agencies, there is no mention of any role for consumer representatives.
Similarly, there is little reassurance to be found in the proposed safeguards and remedies.
While companies will be given deadlines to respond to complaints, there is no suggestion that these will be enforceable, nor which country’s law would apply. Would European citizens have the right to take a case to the US courts? European data protection authorities can refer complaints to the FTC, but there’s no indication that they would be taken any further, nor are there any provisions for Europeans to gain redress there. An alternative dispute resolution procedure is mentioned, but without any indication of who the mediator would be and whether judgements would be enforceable. Finally, the prospect of a US ombudsman is mentioned – but again without any detail that might explain their powers, independence and what sort of oversight would be in place.
It seems clear that the main aim of the EU-US Privacy Shield is, as critics have stated, to give US-based companies an easy way of handling personal data from European citizens without having to provide the full protections afforded by the EU’s Data Protection Directive.
Seen this way, Safe Harbour could be viewed primarily as a way of preventing data protection legislation from jeopardising transatlantic trade. Why the urgency to rush to replace such a leaky arrangement, demonstrated to be full of holes? The headlong rush to agree and implement this badly thought-out follow-up agreement is perplexing when there are already other means in place. For example, model clauses for consumer contracts, or the technology to obtain informed consent directly from customers to process personal data outside the EU. With that in mind, it’s difficult to see how the proposed new arrangement is any different in intent to the one it replaces.