The final text of the EU's patchwork replacement for the Safe Harbour agreement, “Privacy Shield”, has been sent to data protection authorities. Privacy campaigners aren’t impressed.
Safe Harbour established a self-certification regime that allowed US companies to process EU citizens' personal data. But a European Court of Justice decision in favour of privacy campaigner Max Schrems last autumn effectively blew it up.
The CJEU cited the Edward Snowden revelations to support Schrems' contention that the USA couldn’t be trusted to protect EU citizens’ data, although the ruling failed to set any definitions or legal standards about what might Europe might actually consider trustworthy.
Under the proposed “Privacy Shield”, the USA promises to give law enforcement access to European’s data greater more transparency and possibly an independent “ombudsperson” to address complaints. US companies processing EU data must resolve complaints within 45 days. Data protection authorities in EU member states will have to work with the FTC to ensure these are resolved.
A draft adequacy decision was also published. (PDF)
Privacy campaigner Max Schrems called it “lipstick on a pig” while Dutch MEP Sophie in't Veld wondered how a US government official could be “independent”.
"Ombudsman" incidentally, will be official of US government. How does that qualify as "independent" scrutiny? #PrivacyShield— Sophie in 't Veld (@SophieintVeld) February 29, 2016
For Schrems, bulk collection is, by definition, an invasion of privacy. But he pointed out in a statement (PDF) that the Shield proposal lists six legitimate uses for bulk data collation: “detecting and countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to US or allied armed forces; and combating transnational threats, including sanctions evasions”.
Given that the CJEU failed to define what is and isn’t acceptable the first time around, the Shield is sure to end up back in Luxembourg once again. ®