On the 2nd of February, Justice Commissioner Juorová announced that an agreement has been reached between the EU and the US on the safe flow of data. This follows a European Court of Justice ruling which in 2015 held the Safe Harbour transfer mechanism to be invalid.
The new “Privacy Shield” aims to protect European citizens’ fundamental rights and ensure legal certainty for businesses. The US has given the EU “binding assurances” that there will be distinct limitations, safeguards and oversight mechanisms surrounding access to personal data by US law enforcement and national security authorities.
There will be an annual joint review in order to monitor the functioning of the new arrangement. EU citizens will also have redress mechanisms in national security access. Such redress will be handled by an Ombudsman who will be independent from US intelligence services. European data privacy watchdogs will now work in conjunction with the Federal Trade Commission in order to address any issues which may arise.
The US has assured the Commission that mass or indiscriminate surveillance of Europeans will no longer be conducted. If citizens feel that their data has been misused under this scheme, then they will have recourse to affordable dispute resolution mechanisms. There will also be free of charge Alternative Dispute Resolution (ADR) services.
The Commissioner added: “Once the judicial redress act is passed, EU citizens will for the first time have access to US courts in the context of personal data being used for law enforcement purposes.”
Max Schrems, the privacy campaigner who had a hand in the Safe Harbour’s downfall, has expressed his reservations: “I doubt that a European can walk into a US court and claim his fundamental rights based on a letter by someone”.
There are also implications for the companies which handle the data. Regular updates and reviews of participating companies will be conducted by the Department of Commerce. A supervision mechanism which will oversee the manner in which companies apply these rules will be implemented. There will also be tightened conditions for onward transfers by companies to third parties. Companies will not be allowed to participate in this deal if they do not comply with certain privacy safeguards.
There are concerns that the language used in this announcement may be too vague. Edward Snowden has also criticised this agreement: “It’s not a ‘Privacy Shield’, it’s an accountability shield”. Jan Philipp Albrecht, a German MEP, commented: “This is just a joke. EU Commission sells out EU fundamental rights and puts itself at risk to be lectured by the CJEU again.”
Over the next few weeks, the European Commission will draft a new ‘adequacy decision’, which is an agreement which the US is expected to countersign. It remains to be seen whether this new Privacy Shield will succeed in protecting European citizens, or whether it will also be shot down by the European Court of Justice.