NEWS: In 2015 the Safe Harbour Agreement on the trans-national transfer of data between the EU and the United States was declared invalid by the European Court of Justice. In 2016, the EU and the US renegotiated and submitted a Safe Harbor 2.0 agreement initially named “Privacy Shield”.
Safe Harbour 1.0
Safe Harbour was a special deal between the EU and the United States, which for years has given special competitive advantages for US data-driven companies. While the European data protection legislation has always been enforced directly with European companies, US companies under the Safe Harbour agreement just had to self certify that they adhere proper data protection standards. The case at the European Court of Justice, which ended with an invalidation of the agreement was initiated by the Austrian PhD law student and privacy activist Max Schrems. Schrems is behind the initiative Europe vs Facebook, which he started after making a request to Facebook for the data it held on him and receiving 1,200 pages of data. Since then he has run several legal cases against Facebook.
The EU Court’s decision on the invalidation of the Safe Harbour was based on Edward Snowden’s revelations of the US intelligence surveillance of European citizens whose data was processed by US companies, thus confirming that these companies’ handling of data on Eu citizens did in fact not live up to European human rights standards and data protection legislation. 4410 US companies had a Safe Harbour certification, including companies with some of the most popular tech consumer services and products in Europe such as Microsoft, Apple, Google, Facebook, Twitter, Yahoo, Adobe, Amazon, eBay, HP, IBM, Intel and Oracle.
Privacy Shield: A Decorated Pig?
The new agreement, which was negotiated very quickly and presented in February 2016 to the European data protection authorities, was immediately criticized by Max Schrems as just a dress up of the old agreement. Among other things, he points out that there is too little focus on private companies’ data abuse in the text, and furthermore that it can not guarantee European data protection standards, since there are still fundamental problems with the US surveillance legislation and general data protection approach. There is among others a number of cases where US intelligence agencies can collect “bulk” data on Eu citizens, which is in direct contrast to the European legislation regarding mass surveillance.
However, there are a also a few points in Privacy Shield text where, compared to the previous agreement, the rights of European citizens will be strengthened and the requirements for US companies intensified. These include, for example:
– European citizens will be able to complain directly to an American company that transmit their data, and the company must answer them within 45 days. If they don’t, the citizen can go to their own data authority that sends the complaint to the US Federal Trade Commission.
– The new system includes monitoring mechanisms to ensure that companies comply with their obligations, including sanctions or exclusion if they do not comply with the agreement.
-The new rules also tighten the conditions for companies for sharing data with third parties.
-For the first time the US government has given the EU a written assurance that US public authorities access to data with national security purposes on the European citizens will be subject to clear limitations, safeguards and oversight mechanisms (though here one needs to take specific account of Max Schrems’ core criticism)
See also EU Commission FAQ about the Privacy Shield
See more in Tech Crunch article: Draft Text Of EU-U.S. Privacy Shield Deal Fails To Impress The Man Who slayed Safe Harbor