Governance & Risk Management , Privacy

'Privacy Shield' to Replace Safe Harbor

Will Agreement Safeguard Privacy, or Shield U.S. From Accountability?
'Privacy Shield' to Replace Safe Harbor

Score one for marketing spin: The forthcoming EU-U.S. deal for sharing personal information among businesses has been dubbed "Privacy Shield," thus telegraphing that no matter what the forthcoming details of the agreement might be, Europeans' communication privacy will be safe from the prying eyes of the U.S. mass surveillance apparatus.

See Also: Using the Netskope HIPAA Mapping Guide

Also being spun by politicians is the notion that the particulars of any new data-sharing deal - to replace the former "Safe Harbor" arrangement - have been finalized. True, EU Justice Commissioner Vera Jourova announced Feb. 2 that she had "finalized negotiations" with U.S. Commerce Secretary Penny Pritzker, estimating that the new measure would come into force in three months.

But the press release from the European Commission - the EU's executive body - reads more like a statement of intent. Notably, the EC says that on Feb. 2 it mandated that EC Vice President Andrus Ansip and Commissioner Jourová should "prepare a draft 'adequacy decision' in the coming weeks," which the EC will then send to the EU member states' data protection officers, and hope to get them on board, before it then runs the agreement past member states.

Multiple business and technology lobbying groups - including the Software Alliance - a.k.a. BSA - and Information Technology Industry Council in the U.S., BusinessEurope and DigitalEurope in Brussels as well as the Paris-based International Chamber of Commerce - have lauded the news that a deal had been reached, although they have yet to see related details.

Some legal experts, however, see the reports of a deal as a stalling tactic, after negotiators missed their Jan. 31 deadline. On Feb. 2, notably, EU data protection officers were set to meet and decide whether they would bring enforcement actions against any business - potentially including technology giants Apple, Facebook, Google and Microsoft - found to be violating EU data protection laws.

"What we actually have here is a desperate PR effort to buy more time before the EU Commission and the U.S. have to face the consequences of the legal incompatibility between the EU's Charter of Fundamental Rights and the U.S. commitment to mass surveillance," says Irish attorney Simon McGarr in a Feb. 3 blog post, responding to some news reports that a final deal had been reached.

Billions of Dollars at Stake

The push for a new EU-U.S. data sharing agreement arose after the European Court of Justice in October 2015 struck down the previous deal, known as Safe Harbor. The ruling was the legal culmination of a case filed by Austrian privacy campaigner Max Schrems against Facebook's EU headquarters in Ireland. Based on documents leaked by former U.S. National Security Agency contractor Edward Snowden, Schrems' complaint said Facebook was transferring his private details to U.S.-based servers, thus making his personal communications illegally available to U.S. intelligence agencies.

The European Court of Justice agreed, ruling that the United States failed to ensure that its "law and practices ... ensure an adequate level of protection" for Europeans' right to privacy.

Since then, EU-U.S. negotiators - under pressure from the 4,000 firms that rely on the deal to legally transfer data, and with billions of dollars in online advertising and other business at stake - have been scrambling to reach a new agreement. The negotiations appeared to get a boost on Jan. 28, when the U.S. Senate Judiciary Committee voted to give EU citizens the right to sue over some types of data privacy violations in federal court.

But negotiators still failed to meet the Jan. 31 deadline, which was set by the European Council in November. With negotiations still underway, on Feb. 1, Jourová released a related update, noting that "this will not be an international agreement, but an exchange of letters," before announcing Feb. 2 that the negotiations had concluded.

Exchange of Letters

Based on the details that have been released so far, the current draft of the data sharing agreement includes:

  • Written assurances: U.S. officials have written letters saying they will only conduct mass surveillance on Europeans' personal data when it's absolutely necessary.
  • Regular reviews: An annual "trust but check" approach - to ensure the agreement is being honored by the U.S., backed by threatened suspension of the deal if not.
  • Ombudsperson: EU citizens would gain new ways to obtain redress against U.S. businesses or intelligence agencies, although no related details have been published.
  • FTC enforcement: The U.S. Department of Commerce monitoring that compliance by U.S. firms, backed by the threat of Federal Trade Commission enforcement. EU data protection commissioners could refer complaints to the Commerce Department and FTC.

Business Push

For the business lobby, any agreement should be to their benefit, since otherwise they will have to comply directly with EU data protection laws or soon face potential fines worth 4 percent of their annual gross income (see EU Agrees on Data Protection Rule Reboot).

"The new agreement will generally be welcomed by the business community on both sides of the Atlantic, even as they wait to see the details," according to a blog post published by attorneys at Washington law firm Akin Gump Strauss Hauer & Feld. "Supporters are hopeful that it will allow for continued efficient handling of data subject to appropriate privacy protections, which will be important to the economies of Europe and the United States."

Privacy Protection Questions

Already, however, privacy rights groups and some members of the European Parliament have signaled their dissatisfaction with the terms of the deal revealed thus far. In a Feb. 2 statement, Schrems questioned the legal strength of the surveillance guarantees being offered by the White House. "A couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit U.S. law allowing mass surveillance," he says. "I doubt that a European can walk to a U.S. court and claim his fundamental rights based on a letter by someone."

Schrems also notes that the new agreement would allow for "generalized access" - meaning mass surveillance, as opposed to targeted surveillance - to Europeans' electronic communications. That's in spite of the European Court of Justice ruling in October 2015 that mass surveillance violates the EU Charter's "fundamental right to respect for private life."

Viviane Reding, a Luxembourger member of the European Parliament and the former Vice President of the EC, has lauded the move to involve the Commerce Department and FTC. But she too questions the supposed privacy protections. "The commitment to limit mass surveillance on EU citizens is only ensured by a written letter from U.S. authorities," Reding says. "Is this sufficient to limit, [oversee] and prevent generalized access to data of EU citizens?" she says. "I have serious doubts if this commitment will withstand a possible new examination of the European Court of Justice."

Reding adds: "What we need are legally binding obligations without conditions. Safe Harbor will not be 'safe' just by giving it a different name."

Without strong privacy protections in place, some civil rights advocates have questioned what's in it for Europeans. Otherwise, "it's not a 'Privacy Shield,' it's an accountability shield," says Edward Snowden via Twitter.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.