The EU-US Privacy Shield agreement explained
The History of the “Safe Harbour” Problem.
On October 6, 2015 an essential legal agreement for the global movement of data, Safe Harbour, was brought to its knees in a ruling by the European Courts.
In their judgement on legal case by an Austrian citizen (Maximilian Schrems) against Facebook, the European Court of Justice (ECJ) ruled that an agreement made in 2000 about the movement of data between servers in the EU and US, “no longer offered the guarantees necessary to prevent surveillance by US intelligence services” and has determined that the US “does not afford an adequate level of protection of personal data”.
In 2013 the Edward Snowden revelations had unveiled NSA mass surveillance of all data entering and leaving the US and detailed many large US companies operating under Safe Harbour as being complicit in the spying. After that, it was just a matter of time before Safe Harbour was seen as not worth the paper it’s written on.
“Safe harbour” essentially means that a European citizen’s personal data being processed by a US company on US-based computers is under the same protections as if it were still in Europe on a European owned system. But the ECJ says it doesn’t protect that data from US government snooping and so cannot be allowed.
The problem with safe harbour is that the US government now treats any data on computers of US owned companies anywhere in the world as fair game for examination. Microsoft, in fact, is appealing a court case won (in the US) by the US government, which says that it has the right to access data held in one of the company’s Irish data centres. Safe harbour applied, in theory, to US companies but not it seems to the US government.
The very nature of cloud systems is that data is transferred promiscuously, both to create data resilience and speed up access elsewhere. One solution is to encrypt the data using keys which remain on servers in Europe but that will carry performance penalties, but might at least satisfy the letter of the law.
The Proposed EU-US Privacy Shield
The European Commission (EC) has been working with US lawmakers to develop a replacement for the Safe Harbour transatlantic data transfer agreement since it was ruled invalid by the ECJ in October 2015.
The result of these discussions is the EU-US Privacy Shield, which is expected to come into force in three months’ time, the EC said.
For that to happen, the agreement’s content has to be approved by the Article 29 Working Party, an affiliation of the data protection authorities of all the 28 EU member states.
European citizens will be protected from the “indiscriminate mass surveillance” activities of the US government under the terms of a reworked data-sharing agreement to replace Safe Harbour said Andrus Ansip, (EC) vice-president in charge of the Digital Single Market, who described the data-sharing agreement as a “significant improvement” on Safe Harbour.
As part of the discussions, Ansip said the EC had received written assurances from the US government that it does not intend to use the EU-US Privacy shield to carry out “indiscriminate, mass surveillance” on European citizens. However there are already questions as to how watertight these declarations are likely to be and concerns are already starting to mount up.
The EU-US Privacy Shield will also, unlike Safe Harbour, be subject to an annual review to ensure it remains fit for purpose in the years to come.
The working party has given the EC and the US until the end of February 2016 to provide a complete breakdown of how the EU-US Privacy Shield will work, and has now stated formally that anyone attempting to use Safe Harbour to transfer data back to the US is now breaking the law.
The working party has also warned organisations using alternative data transfer mechanisms including standard contractual clauses and binding corporate rules that permission to use these could be revoked by the end of February.
Persistent Fears over Privacy
However, Safe Harbour’s successor, the EU-US Privacy Shield, has been reviewed by privacy campaigners, who fear the proposed data transfer agreement is unlikely to stand up to legal scrutiny by the European Court of Justice (ECJ).
Former EC vice-president Viviane Reding, who originally carried out the review into Safe Harbour in response to Snowden’s 2013 revelations, has already been quoted as saying, “The new text is disappointing,” “The commitment to limit mass surveillance of EU citizens is ensured only by a written letter from US authorities.
“Is this sufficient to limit oversight and prevent generalised access to the data of EU citizens? I have serious doubts if this commitment will withstand a possible new examination by the European Court of Justice.”
The CEO of civil liberties advisory group Think Privacy, Alexander Hanff, shares this negative view, and has been quoted as saying (these penned declarations) are “not worth the paper they are written on”.
FISA is a piece of federal legislation that allows the US government to covertly keep tabs on people suspected of spying on the US for overseas governments or intelligence agencies, as long as the Foreign Intelligence Surveillance Court (FISC) gives it permission to do so.
“We are supposed to believe that the very same agencies and the very same political machine that has been spying on the world’s digital communications for over a decade will now suddenly stop spying on Europeans because the European Commission has asked them to?” said Hanff. “It is preposterous to even suggest such a thing, let alone do so with a straight face.”
“It doesn’t matter how many ‘assurances’ the US gives the EC, the very fact that the FISC exists and issues secret orders under FISA renders them into nothing but fantasy.”
“We simply must not allow a lie (for this Privacy Shield is exactly that) to replace a lie (which Safe Harbour was) in order to maintain the status quo and pander to the economic interests of the US technology sector,” Hanff wrote.
“The deal is bad for EU citizens and it is bad for the EU economy. It must not be accepted.”
Whilst both the lobbyists in the EC and big data collectors, the Microsofts, Googles and Facebooks, will undoubtedly want to see a prompt acceptance and return to business as usual and the reintroduction of a Safe Harbour 2, it seems that there are still some concerns to be addressed.
However, until the full details of EU-US Privacy Shield are made public, it is difficult to allay these fears and to speculate exactly how the ECJ will view the finished article.
It seems there will be no shortage of candidates willing to put the new EU-US Privacy Shield to the test once the full details are known.
Perhaps Maximilian Schrems, the original Facebook challenger phrased it best, “I am not sure if this system will stand the test before the Court of Justice,” Schrems said, in his post-announcement statement. “There will clearly be people who will challenge this; depending on the final text, I may well be one of them.”