Europeans seeking to assure that their personal data meets the same privacy protections in the U.S. as it currently does in Europe, were presented on Monday with a draft text for a new transatlantic agreement.
The “Privacy Shield,” published on Monday by the European Commission, looks to restore “trust in transatlantic data flows through strong safeguards.”
The proposed agreement is meant to replace the Safe Harbor framework, which was nullified in October by Europe’s top court, the Court of Justice of the European Union (CJEU), following a complaint by Max Schrems, an Austrian privacy activist, who argued that U.S. mass surveillance programs, as revealed by Edward Snowden, were in violation of the basic privacy rights of European citizens.
Four primary components are offered in the proposed agreement, including assurances that supervision mechanisms would be in place “to ensure that companies respect their obligations, including sanctions or exclusion if they do not comply.”
Second, the U.S. government pledged that any “access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.” That language specifically addresses a key concern voiced by the CJEU: the widespread collection of EU citizens’ personal data by the NSA.
“The EU-U.S. Privacy Shield is a tremendous victory for privacy, individuals and businesses on both sides of the Atlantic,” Penny Pritzker, U.S. Secretary of Commerce, said in a statement.
However, the NSA still held out its right to use data collected in bulk for six situations, including purposes of counter-terrorism. This requirement may put the agreement at risk as the CJEU argues that it compromises “the essence of the fundamental right to respect for private life.”
Commissioner Vera Jourová, who led negotiations from the European side, issued her statement following the release of the draft in a more mannered tone. “The EU-U.S. Privacy Shield is a strong new framework, based on robust enforcement and monitoring, easier redress for individuals and, for the first time, written assurance from our U.S. partners on the limitations and safeguards regarding access to data by public authorities on national security grounds.”
Following ratification of the Privacy Shield, businesses in the U.S. would be obligated to be more responsive to complaints from Europeans objecting to use of their data and U.S. businesses would need to be more vigilant in maintaining their processes.
Europeans will also get new ways to complain in the U.S. about their data being misused. The U.S. State Department will set up a new ombudsman — supposedly independent of the national security services — to handle complaints about intelligence-related matters.
This is still a work in progress, however, as representative bodies from the 28 EU member states’ data protection authorities will review the newly issued document and then vote whether to ratify the agreement.
Schrems conceded there were improvements in the new text but was dissatisfied that it does not address the “core concerns and fundamental flaws of U.S. surveillance law and the lack of privacy protections under U.S. law.” The document, he said, will be susceptible to future legal challenges.