EU-US Privacy Shield Still Not Protecting Your Privacy

Full text of the new draft EU-US Privacy Shield was released February 29^th but has not been signed yet. They have made some changes from the previous Safe Harbor Agreement. While some are good improvements, some seem to have not changed how our data is handled at all. A conclusion on if the draft agreement will be acceptable should be made by mid-April to the end of April.

History: Safe Harbor Agreement

Before going in to the Privacy Shield here is the history of why we needed a new agreement between the European Union and United States. In an earlier blog, Safe Harbor Ruled Invalid, How it Affects You, we talked about the invalid ruling of the Safe Harbor Agreement and how it affected businesses and consumers. So here’s a little history on the old Safe Harbor Agreement:

The Safe Harbor Pact was established in 2000 between the European Union (EU) and the United States (US). This allowed businesses to legally funnel info across the Atlantic. Common data storage and transfers are seen in global commerce, sending and receiving emails, and even posting on social media. US companies can “self-certify” that they meet the stricter European privacy standards.

In early October of 2015, the European Court of Justice found the US approach to domestic surveillance and absence of legislation governing certain privacy rights was not up to European standards following a case brought by an Austrian student Max Schrems. The EU then made the Safe Harbor pact invalid. They believe the US has compromised the data of their citizens and would like for some changes to happen to ensure the US is not spying on their citizens.

Whats New

While there are some improvements to the Trans-Atlantic data transfer deal many say it does not differ much from the original Safe Harbor and does not address the “core concerns and fundamental flaws of US surveillance law and the lack of privacy protections under US law” (Max Schrems)

Key Positive Takeaways:

Citizen and Company Complaints 

The new agreement gives companies and citizens the chance to complain and dispute any mishandling of records and personal information. These complaints must be resolved within 45 days or use a free “alternative Dispute Resolution”.

Ombudsman 

An ombudsman, a public advocate responsible in representing the interests of the public by investigating and addressing complaints, within the US State Department will handle any allegations of privacy violations.

Key Negative Takeaways:

Collecting Data in “Bulk”

In a Press Release from February 29^th the European Commission states there will be “no indiscriminate or mass surveillance by national security authorities.” But then is contradicted by this:

6 exceptions where US can collect data “in bulk”( Annex VI Page 4 Paragraph 2) :

1. Detecting and countering certain activities of foreign powers
2. Counterterrorism
3. Counter-Proliferation
4. Cybersecurity
5. Detecting and countering threats to US or allied armed forces
6. Combating transnational criminal threats, including sanctions evasion

US Judicial Redress Act

In addition to the Privacy sheild, President Obama signed the U.S. Judicial Redress Act on February 24th that will “give EU citizens access to US courts to enforce privacy rights in relation to personal data transferred to the U.S. for law enforcement purposes. The Judicial Redress Act will extend the rights U.S. citizens, and residents enjoy under the 1974 Privacy Act also to EU citizens.” BGR

At First that sounds good but then after research on the Privacy Act of 1974, many believe, with similar views from the Electronic Frontier Foundation (EFF), that the Privacy Act is “worthless”. There are many exceptions including 32 CFR 322.7 which exempts the NSA from rules of privacy on records maintained on individuals (5 U.S. Code § 552a).

“Essential Equivalence” Non-Existent

One of the most important parts of changing this agreement was to have “essential equivalence” of European data protection in the US.  Max Schrems points out that this has not been achieved for

The new deal does not even address the matter of private sector data misuse, despite the fact that there would have been much more leeway than in the government sector. There are tiny improvements, but the core rules on private data usage are miles away for EU law.”(TechCrunch)

Privacy Shield Certified

Under the Privacy Shield a business can become ‘certified’ to establish “adequate” protections for Trans-Atlantic data transfers. While this sounds like a great way to protect your business from any problems with data transfers it does not protect you completely.

The new agreement allows individual Data Protection Authorities (DPAs) to suspend data flow regardless of a business being Privacy Shield Certified, meaning you can not secure continuous data flow for your company.

The Outlook

The EU-US Privacy Shield still needs to be approved by the EU’s WP29 (Article 29 Working Party) and from the privacy issues others have already found in the draft it does not seem likely it will be approved.

They tried to put 10 layers of lipstick on a pig, but I doubt the court and the DPA’s now suddenly want to cuddle with it”

–Max Schrems