Privacy Shield: Our Concerns with the Data Transfer Agreement

When the Court of Justice of the European Union (CJEU) struck down Safe Harbor last year it sent tech companies into a tailspin. The agreement between the EU and US had been in place since 2000 and ensured that companies like Facebook and Google could transfer European user data across the Atlantic with no fuss.

The CJEU eventually found fault in this. Safe Harbor didn’t offer any protection for Europeans from mass surveillance by the NSA. There was nothing safe about this agreement, it found.

The ruling stemmed from a case taken by Austrian lawyer Max Schrems who spent years pursuing Facebook over its handling of user data and where exactly it goes and what happens to it.

Since the October 2015 ruling both the US and EU have been scrambling for a new framework for data protection. This came to a head last week, a little overdue on the deadline, with the unveiling of Privacy Shield, a new operation that is supposed to replace Safe Harbor, but many questions and concerns still hang overhead.

Crucially, the European Commission said in its statement on February 2 that the two parties reached an agreement but it was lacking in detailed specifics. “Our people can be sure that their personal data is fully protected,” said Andrus Ansip, Vice President for the Digital Single Market of the European Commission.

So what does it mean? Now that the announcement has lingered for a few days, interested parties have had a chance to break it down but have found little in the way of anything concrete – at least for now.

Under the details of the agreement that have been made public so far, US companies that want to transfer data from Europe will have to meet “robust obligations” while any companies handling HR data must adhere to rulings made by Europe’s various data protection authorities.

The US says it ruled out any mass surveillance of data transferred from Europe and there will be “clear limitations” on how US law enforcement can access European data as part of investigations. This agreement will be overseen by an annual review carried out by The European Commission and US Department of Commerce with possible involvement from intelligence agencies from either side.

Finally, European citizens will have redress means if they believe their data has been handled unlawfully or tampered. European data protection agencies can forward claims to the Department of Commerce or the Federal Trade Commission, both of which will have to reply to complaints within a certain deadline. Furthermore a new authority will be established to oversee complaints made regarding national intelligence access to data.

These points sound good on paper but the lack of specifics means many things are still up in the air and that has many scratching their heads. Comments like “robust obligations” and “clear limitations” do not ensure anything. However it is expected that the full text of Privacy Shield will be published by the end of February.

We’re now finalising texts and will unveil the #Privacy Shield 2nd half of February @Ansip_EU

— V?ra Jourová (@VeraJourova) February 8, 2016

For now the agreement looks like a means to keep data flowing between the US and EU but it has not been set in stone yet and it may be many months before it is. One of the chief concerns levelled against Privacy Shield over the last few days is that it does more to keep business flowing rather than protect individuals’ privacy.

“A lot of global businesses will be breathing a sigh of relief today as a significant number of them didn’t take action to address the risk of Safe Harbour disappearing,” said Mark Thompson, Privacy Practice Leader at KPMG. “The agreement is good news for companies as a number were clearly going to struggle from a financial and operational point of view with the uncertainty surrounding the movement of personal data.”

But it’s not clear skies for businesses just yet. The CJEU’s European Court of Justice (ECJ) may very well put the agreement under the microscope and once again strike it down over surveillance concerns that have not been addressed.

Under the new rules, law enforcement will carry out an annual review to ensure no “indiscriminate mass surveillance” has taken place but how is this guaranteed? “We all know how good the NSA is at hiding what it’s actually doing from oversight bodies,” writes Techdirt’s Mike Masnick. Secondly, the agreement states that a new authority, or ombudsperson, will handle surveillance complaints. Just how much power will this ombudsperson have?

The new EU rules bring the US’ Judicial Redress Act under scrutiny too, which would grant US courts some jurisdiction over EU citizens under certain circumstances. This is rocky terrain for all parties involved. Many solutions have been posited including the establishment of more data centers in Europe to keep data within its legal jurisdictions but this wouldn’t entirely solve the problem.

Nevertheless, we are seeing more data centers spring up in Europe lately or have to plans to do so. Apple and Facebook are building new facilities in Ireland, Microsoft is opening a data center in the UK as well as expanding its Irish one, Oracle has built out its British center recently, and not to mention the facilities that Google already has around the continent. But this is only a solution for the major tech giants that can afford it. It doesn’t address smaller businesses. For example, there were thousands of companies that used Safe Harbor to move data.

What happens next will be vital. Berin Szoka, president of non-profit TechFreedom, has called Privacy Shield a “farce in three acts” that only kicks the can down the road and won’t mean anything until widespread surveillance reform is put in place.

“Both sides have cynically exploited the furor over government surveillance to push a completely unrelated political agenda: Internet regulation,” he said. “But the ECJ won’t be satisfied with vague promises from a president who’s on his way out anyway — it will require fundamental, binding reforms to how the U.S. government spies on Europeans.