EU-US Safe Harbour agreed - for now
A last minute agreement on EU-US Safe Harbour transatlantic data transfers has been announced, but civil liberties objections are expected by those who believe initial concerns are not fully addressed.
In a last gasp deal, an agreement has been reached today on US-EU transatlantic data sharing, with European Commission vice president Andrus Ansip announcing that a framework agreement is now in place, “that will ensure the right checks and balances for our citizens”.
The move follows Safe Harbour being declared illegal by the European Court of Justice last October in the wake of the Snowden disclosures that US authorities accessed data on Europeans when it was held in the US, a practice condemned by civil liberties groups. Now US authorities have pledged that the US will avoid “indiscriminate mass surveillance” of EU citizens. And a US ombudsman will follow up on complaints from EU citizens made via European data protection agencies (DPAs). Civil Liberties Committee chair Claude Moraes (S&D, UK) promised that the European Parliament will play the role of watchdog for citizens over any new Safe Harbour agreement.
However, Max Schrems, the Austrian student who first opposed Safe Harbour, is reported to have said that the changes do not address his fundamental concerns.
Phil Lee, data protection partner at European law firm Fieldfisher, agrees, saying that the issue is far from resolved. In an email to SCMagazineUK.com Lee commented: "Today's announcement will undoubtedly be welcomed by many. But keeping in mind that this new Safe Harbour will almost certainly be challenged by civil liberties groups (and possibly even some data protection authorities) pretty much immediately, only the foolhardy would want to place their trust in a new Safe Harbour right now. Whether legal or not, its reputation is already shot to pieces."
Following the agreement, Moraes expressed his ongoing concerns saying: "The new framework announced by Commissioner Jourová has no written text and my first concern is that it has too much in common with the previous Safe Harbour decision. The announcement does not indicate any measures which are legally binding on either party, but relies on 'declaration' by the US authorities on their interpretation of the legal situation regarding surveillance by the US intelligence services. Another key concern is that the creation of an Ombudsman... does not seem to be underpinned in the current statement by sufficient legal powers."
He added that it is imperative that a new agreement is quickly developed and the concerns expressed are quickly answered. “Without a stronger legal backing, the proposals announced today could again be challenged by the European Court of Justice. Members of the European Parliament will insist that we have a strong agreement that would survive such a challenge.”
Moraes also expressed concern that there is no actual change in US law, rather the agreement is based on an exchange of letters by an administration which is coming to its end, saying: “This is a shaky situation which needs to be addressed to give us confidence that "Privacy Shield" is something more substantial than is suggested in the initial announcement."
Earlier in the day, when it looked as if the deal would not happen, Mark Thompson, privacy practice leader at KPMG, commented: "Given the fundamentally different cultural views on privacy between the EU and the USA it is not a surprise that there have been challenges getting to a 'Safe Harbor 2.0' solution in the allotted time frame.”
Tomorrow (Wednesday 3 February) DPAs across the EU will say what they think about the new agreement; they are now empowered to investigate agreements previously made by the European Commission. A draft agreement will then be drawn up in the next few weeks, according to Brussels' justice commissioner, Věra Jourová, to be called The EU-US Privacy Shield.
For now though, the approximately 4,000 companies affected are expected to be relieved that a deal has been struck.