Safe Harbour 2.0


EU and US regulators have finally agreed upon a new legal framework for data transfer, but is it any good?

An agreement has finally been made, at the last minute. The European Commission Vice President Andrus Ansip announced a new framework “that will ensure the right checks and balances for our citizens.”

This deal comes after the European Court of Justice struck down the original framework, known as the ‘safe harbour’ agreement, on the grounds that data which was transferred to the US was not sufficiently free from state surveillance and did not guarantee privacy for European citizens. This was very much due to the Snowden revelations from a few years ago which put the agreement under scrutiny by the court, leading up to the decision in October in which the EUJC declared the legal framework, of which so many US and EU companies alike had relied upon to move consumer data across the atlantic, no longer legal.

The new framework, now called the ‘Privacy Shield,’ states that US authorities will refrain from “indiscriminate mass surveillance” of EU citizens and a US ombudsman will attend to complaints and objections brought forward by European DPAs (data protection agencies). It aims to protect a range of data from online search queries to employee records. Further and more specific details are yet to be revealed; European DPAs have requested the text of the agreement at the end of the month.

The new ‘EU-US Privacy Shield,’ with all its reform, has been under scrutiny by many privacy advocates in Europe. This includes Austrian academic Max Schrems, who claimed that the new deal still fails to address the fundamental issues.

One of the main problems raised by the new deal is that it is hardly any different from the preceding framework. Upon initial interpretation, without a full text to comprehend and analyse, there are many who fear that the new deal does not contain any legally binding rules upon either party, much like the framework before. There are no actual changes being made to US law, only mere declarations which lack any true legal authority.

In addition, the other new measures added appear inadequate. For example, Europeans being able to get legal redress in the US may be difficult since Republicans have insisted that exceptions for breaches of privacy must be made for the sake of national security. Indeed, US politicians who are concerned with privacy being prioritised over security have made it clear that such prospects will be obstructed, thus creating a complicated legal mess with the new deal, which again was a problematic characteristic of the former legal framework. As a result, the lack of oversight on the NSA would remain.

With these flaws considered, it would be plausible to assume that US regulators quickly cobbled together a seemingly improved framework, filled with hollow promises and empty compromises, just so the likes of Microsoft and other tech companies, could continue operate in Europe free of legal complications. This contrasts the incentives of Europeans, whose concerns are centralised around privacy for citizens and protection from tyrannical mass surveillance from foreign governments. Being so, the response of dissatisfaction threatens the life-span of the new framework. “The European Court has explicitly held that any generalised access to such data violates the fundamental rights of EU citizens. And the Commissioner herself has said this form of surveillance continues to take place in the US,” said Schrems in response to the new deal, who believes that the Privacy Shield, once looked at closely, will struggle to withstand any legal challenges.

At this point, nothing is certain. The Privacy Shield will continue to be under scrutiny with the little details available until it is revealed in full. When the full text is released, European DPAs will study the documents extremely closely. They will be keen to see whether the Privacy Shield is a collection of empty promises simply to keep privacy advocates quiet in favour of national security, or whether it is a genuine attempt to ease tensions to promote a more a successful digital economy. The roots beneath the contrasting approaches to privacy go back to years of different experiences and cultural shifts. For Europe, its past fuels a commitment to protecting individual rights and liberties, and for the US, a patriotic desire to protect its beloved nation. However, can they finally put their differences aside? The fate of the Privacy Shield will tell us.