After three months of talks, European and American policy makers have agreed a new deal that will allow US-based corporations to transfer data back and forth across the Atlantic. However, questions still remain over the protection of EU citizens’ data, with claims that the new rules are not tough enough, and will lead to little change in the situation that was deemed unlawful by the European Court of Justice in September 2015.
The news means that firms such as Facebook, Google and Microsoft (among a reported 4,000 other companies) will now be able to continue moving data on EU citizens to the US, as they had done under the previous ‘Safe Harbour’ agreement. However, these companies will now have to publish how they will commit to protecting the privacy of European citizens.
The European Court of Justice said the newly named ‘EU-US Privacy Shield’ would “protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.”
Under terms of Safe Harbour 2.0 US authorities have pledged that their companies will avoid ‘mass surveillance’ of EU citizens. A US ombudsman will now follow up on complaints made by European citizens to their own national data protection agencies, such as the ICO. The US Department of Commerce and the Federal Trade Commission are now committed to cooperating with these agencies.
“For the first time ever the US has given the EU binding assurance that the access of public authorities for law enforcement of national security will be subject to clear limitations, safeguards and oversight mechanisms,” said EU Justice Commissioner Vera Jourova.
Jon Cano-Lopez, Chief Executive of REaD Group, said that many questions about data privacy and ownership still hang in the balance. “Under the agreement, the likes of Google and Facebook can continue to hoard personal information on EU citizens, with Safe Harbour 2.0 simply marking yet another chapter in a long running battle to establish who actually owns our data,” he said.
Alchemetrics Managing Director David Gurney said that while there were valid business reasons for corporations moving data to the US, the new agreement didn’t go far enough. “There are still a huge number of concerns about how EU citizens’ data is being stored,” he told DBM. “The industry is facing intense scrutiny at the moment and transparency and consent are paramount. Safe Harbour 2.0 doesn’t seem like to address this issues with appropriate vigour.”
Cano-Lopez added that he had “serious doubts over the robustness of the new framework” and that he “believed any immediate impact will be negligible.” He said: “At a time when we are seeking to regain the trust of EU consumers, Safe Harbour 2.0 will do little to instil confidence. More to the point is the issue of ‘reasonable expectation’. Can anyone truly consider it reasonable to visit a price comparison site based in Blackburn on Tuesday and get a call from a Miami based call-centre on Thursday? I think not. This is certainly not the way to engender trust in consumers.”
The original Safe Harbour deal was deemed invalid by the European Court of Justice in September 2015 after an Austrian privacy campaigner, Max Schrems, brought a case against Facebook. The ECJ said Safe Harbour denied national supervisory authorities certain powers.