Europe and US strike post-Snowden data transfer deal: Privacy Shield

The US and Europe have reached a new agreement they hope will once again legalise personal data transfers across the Atlantic. Critics however think it won’t stand up to a court challenge.

Privacy Shield is the name of the new deal reached between European and US negotiators on Tuesday that both sides hope will facilitate the legal transfer of personal data across the Atlantic ocean.

The agreement is meant to replace, Safe Harbour, which was ruled illegal in October by the European Court of Justice for having done little in its 15 year existence to protect Europeans from mass surveillance through programs such as the NSA’s PRISM.

The European Commission said on Tuesday that a new framework based on written promises from the US will protect the fundamental rights of Europeans and hence offer legal certainty for businesses.

Key to Privacy Shield are “stronger obligations” on US companies to protect Europeans’ personal data and closer monitoring by the US Department of Commerce and Federal Trade Commission.

“For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms,” said EC commissioner of justice, Věra Jourová.

“In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments."

The US government has provided “written assurances” that its agencies’ access to data will will be subject to limitations, safeguards and oversight. That oversight includes a joint EU-US annual review and a new Ombudsperson who will handle complaints about US surveillance, while European data protection authorities can refer complaints to the US authorities.

Though the final text of the agreement hasn’t been settled yet, critics say that what’s known about it likely won’t stand up to a challenge in European courts, in part because nothing appears to be legally binding. Europe’s data protection authorities will have a chance to make amendments to the arrangement in coming days.

Read more: ​How cybercriminals are exploiting DNS vulnerabilities for disruption and profit

Max Schrems, the Austrian law student whose case against Facebook brought down the Safe Harbour scheme, said the new deal offered Europeans little improvement.

“With all due respect, but a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance,” said Schrems.

“I doubt that a European can walk to a US court and claim his fundamental rights based on a letter by someone,” he added.

Jan Philipp Albrecht, Green home affairs and data protection spokesperson, called the new framework a “reheated serving” of the old Safe Harbour.

“The proposal foresees no legally binding improvements. Instead, it merely relies on a declaration by the US authorities on their interpretation of the legal situation regarding surveillance by US secret services, as well as the creation of an independent but powerless Ombusman, who would assess citizens' complaints. This is a sellout of the fundamental EU right to data protection,” said Albrecht.

Others, however, are cautiously optimistic. Microsoft’s chief legal counsel Brad Smith called the deal a “vital step in maintaining data flows and strengthening confidence in the cloud.”

Participate in CSO and Gigamon's survey on Security Priorities today!

Go into the draw for a chance to win an Apple iWatch Sports or the equivalent of $500 Visa Cashcard.

Read more: ​Federal government escalates AFP email scam warnings

For full terms and conditions click here.

Start survey NOW!


Tags europeAtlanticFederal Trade CommissionframeworkCSO AustraliaSafe HarbourPrivacy Shieldpost-Snowden data transferOmbudsperson

Show Comments