Privacy Shield: Nine things you need to know about the EU-US data agreement
The European Commission has adopted a new EU-US data privacy agreement called ‘Privacy Shield.
It’s supposed to smooth the way for everyday data transfers (from Facebook and Google to banking transfers) between the two trading blocs. But there may still be problems ahead. Here’s a layman’s guide to the whole thing.
Q: What is ‘Privacy Shield’?
A: It’s an agreement between the EU and the US over the transfer of data between the two trading blocs. Specifically, it’s aimed at protecting EU citizens’ personal data rights, as we have a higher standard of legal protection for our personal data than US citizens. (For example, we don’t allow bulk surveillance of citizens’ data.)
Q: Wasn’t there already an agreement taking care of that?
A: Yes, it was called the ‘Safe Harbour’ agreement. But last year, the European Court of Justice struck it down. It said that US authorities’ blanket surveillance activities (as revealed in the Edward Snowden whistleblower revelations) were not compatible with EU citizens’ personal data rights.
Q: Why is this whole thing seen as such a big deal?
A: Other than concerns over the intrinsic right to privacy, this has become an international issue because ‘Privacy Shield’, like ‘Safe Harbour’ before it, is seen as the main legal instrument for companies to transfer data between the EU and the US. Without it in place, data regulators could potentially stop companies from engaging in business activities that involved the transfer of EU citizen data to the US. That obviously has huge ramifications for banks and tech multinationals like Google and Facebook.
Q: So what’s different about this new ‘Privacy Shield’ agreement?
A: The European Commission, which has negotiated the new agreement with US authorities, says it has more safeguards for EU citizens’ data privacy.
Q: What are these safeguards?
A: The Commission says it’s made up of a few things. First, it says there’ll be “regular reviews” by the US Department of Commerce on companies’ compliance. There’ll also be new “supervision mechanisms”, it says. Companies that don’t comply will face sanctions and removal from the Privacy Shield “list” of approved companies.
Q: Is that it?
A: No. A new US ombudsman is to be appointed that will be independent from national security services. EU citizens can make enquiries and complaints directly to this ombudsman’s office. In addition, the US Director of National Intelligence has given written promises that “indiscriminate mass surveillance” on data transferred under the Privacy Shield arrangement won’t happen. And the US has promised that bulk collection of data “could only be used under specific preconditions” and “needs to be as focused as possible”, in particular through the use of “filters” and the requirement to minimise the collection of “non-pertinent information”.
Q: So does this solve the issue?
A: Possibly not. Despite assurances from the US government about the lack of mass surveillance, it’s unclear whether the European Court Of Justice -- which is ultimately the most important institution for greenlighting this agreement -- will feel that European data privacy standards have been met. Last month, European data protection supervisor Giovanni Butarelli said that the Privacy Shield agreement may not pass muster with European authorities. Vocal opponents of the deal, such as the Austrian Facebook privacy campaigner Max Schrems, have openly said that it is inadequate. And European data protection bodies -- including Ireland’s Helen Dixon -- have questioned the independence of the proposed new US ombudsman.
Q: If the sticking point is US security authorities’ bulk surveillance through organisations such as the CIA, how will anyone really know that they’re sticking to their word?
A: That is one the central underlying dilemmas to the whole process. Few believe that the US will pare down its intelligence-gathering activities, including bulk surveillance.
Q: So what next? If Privacy Shield doesn’t work, what will?
A: “The solutions will have to be political because the frameworks [between the EU and US] are never going to be the same as one another,” said the Irish data protection commissioner Helen Dixon last month. “So there will be trade-offs.”