Questions remain over EU-US Privacy Shield agreement

The proposed EU-US Privacy Shield is aimed at protecting the fundamental rights of Europeans when their personal data is transferred to US companies, and replaces the Safe Harbor agreement.

Safe Harbor was declared invalid by the European Court of Justice in 2015, following a legal challenge brought against Facebook by Austrian privacy campaigner Max Schrems. Following the Snowden disclosures, Schrems was concerned about the social network’s potential sharing of Europeans’ personal data with the NSA.

Mass surveillance no more?

Under the terms of the proposed agreement, the US will give an annual written commitment that it won’t indulge in mass surveillance of EU citizens, and this will be audited by both sides once a year.

EU Justice Commissioner Věra Jourová said: “For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.”

Before any data transfers can take place under the new EU-US Privacy Shield, the European Commission first has to adopt a formal ‘adequacy’ decision, which is currently in process.

Uncertainty remains, however, about whether an agreement has indeed been reached.

Quoting Věra Jourová: “In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments.”

CIO reports this week that mass surveillance activities are still allowed under Privacy Shield.

“Even though its openness to mass surveillance of EU citizens’ communications and online activities was one of the things that brought down Safe Harbor, such surveillance activities are still allowed under Privacy Shield.”

It references US documents forming part of the agreement that “claim nothing of the sort. The U.S. still allows itself to perform bulk surveillance for six purposes: detecting and countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to US or allied armed forces, and combating transnational criminal threats, including sanctions evasion.”

The EU Commission has released this fact sheet to explain what Privacy Shield aims to achieve:

Keep up to date with latest developments on the EU General Data Protection Regulation (GDPR).

Find out what the latest developments are related to European privacy law by visiting our EU GDPR information page for the latest news >>