Details of a new EU-US agreement that will legally allow American companies to shuttle Europeans’ data across the Atlantic were released Monday, along with assurances by the National Security Agency regarding bulk collection that aren’t sitting well with privacy activists.
The “Privacy Shield” agreement aims to replace the Safe Harbor pact, which was struck down last year by the Court of Justice of the European Union (CJEU). The high court found US companies couldn’t guarantee protection of their European customers’ data in the wake of NSA spying revelations, first made public in 2013.
The European Commission, which took the lead in drafting the new agreement, claimed in a statement Monday that “for the first time, the US government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.”
Although the NSA did transmit to the commission lengthy documentation on changes made to the US surveillance complex in the wake of Edward Snowden’s revelations and new safeguards for foreign citizens’ data, the assurances still breed privacy concerns, particularly among the party that derailed the first agreement. Activist Max Schremes, who originally filed the suit that led to the CJEU overturning Safe Habor, said in a statement that the new deal is insufficient.
“Basically, the US openly confirms that it violates EU fundamental rights in at least six cases,” Shremes remarked. “The commission claims that there is no ‘bulk surveillance’ any more, when its own document say the exact opposite.”
According to a letter from the Office of Director of the Director of National Intelligence this month, US spies reserve the right to conduct bulk collection surveillance under six rather broad conditions: “detecting and countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to US or allied armed forces; and combating transnational criminal threats, including sanctions evasion.”
The Privacy Shield agreement does purport to boost privacy protections over and above the prior framework. It includes stronger privacy obligations on US companies, and mechanisms to sanction or exclude outfits that don’t comply. Companies will have to renew their certification each year under the deal. The pact would also create a special Ombudsman within the Department of State to conduct independent inquires in response to European complains on stateside data usage.
But even with these new measures, the agreement could fall short just like its predecessor. It still has to be signed off on by a EU working group focused on national data protection. Then, Privacy Shield must survive an “adequacy finding” by the European Commission. Even then, it may be challenged in the CJEU, under the argument that European data is still not safe from US government prying.
Regulators will likely be paying close attention to further debates in the US Congress over soon-to-be expiring surveillance authorities that underpin much of the foreign bulk collection of US spy agencies, particularly Section 702 of the FISA Amendments Act, which expires next year.
Lawmakers on the House Judiciary Committee earlier this month held a classified hearing on the expiring provisions, plotting behind closed doors the best way to approach them.
Thousands of US companies are paying close attention to the process. From social media companies to financial businesses, a wide range of industries are impacted by the Transatlantic flow of data.
