Analysis by Danaë LAZARI
On 30 May 2016, the European Data Protection Supervisor warned that the EU-US Privacy Shield, an agreement proposed by the Commission to replace the recently-overturned Safe Harbour agreement, was not “robust enough […] to withstand future legal scrutiny”. Although the deal has not been thrown out, these concerns act as a major obstacle to the agreement, which is due for ratification in June.
The EU-US Privacy Shield was presented in February 2016 as a framework for an alternative agreement to the Safe Harbour agreement which had been overturned by the Court of Justice of the EU (CJEU) in 2015.
From Safe Harbour to EU-US Shield
For 15 years, US companies were allowed to transfer digital data on EU citizens to their headquarters across the Atlantic simply by checking a few boxes on an online form. The basis for this was the Safe Harbour agreement, which was born of a Commission decision in 2000 that the principles to which US companies adhered to complied with the EU Data Protection Directive, and so privacy practices were deemed essentially the same in both jurisdictions.
In 2014, a case against Facebook was brought to the Irish High Court by Max Schrems, a 27 year old law student. He argued that his privacy rights had not been protected by Facebook against NSA surveillance, which had been exposed by Edward Snowden the previous year. The case culminated in the CJEU, where, in October 2015, judges ultimately overrode Safe Harbour on the grounds that the agreement prevented data protection authorities from intervening to protect EU citizens who claimed that their right to privacy had been breached.
The CJEU gave the Commission three months to come up with a viable alternative, which found its form in the EU-US Privacy Shield; an agreement reached two days after its deadline. The EU-US Shield promises regular checks on subscribed businesses by the US Department of Commerce to ensure that data protection standards are up to scratch, as well as a personal pledge that the US government will ‘avoid indiscriminate mass surveillance’ of EU citizens, signed by a top US director of national intelligence. US government access will be subject to safeguards and transparency obligations, and avenues will be created to hold businesses accountable. However, one could argue that the US Shield has replaced the safe harbour agreement in name only – having still to overcome the hurdles of its actual drafting, which could take up to three months; the scrutiny of DPAs, who are holding off until March or April to challenge the agreement; and navigating a complex EU bureaucracy to gain formal approval.
Implications of the decision
The right of privacy was the fundamental right which enabled the CJEU to overthrow Safe Harbour; a decision which directly contradicted US laws that put the right to security above all else, and reflected the EU tendency to view the government as protector of personal information. The CJEU argued that mass surveillance of any kind contravened the fundamental right of EU citizens to privacy, and its rejection of Safe Harbour was largely based on potential US government practices that may have put US companies in breach of the EU’s privacy directives.
Implications of this aspect of the decision are likely to be felt both in the EU’s Common Security and Defence Policy, and in the process of formally approving the EU-US Shield. Firstly, European intelligence agencies carry out much the same surveillance on electronic communications within the EU as the NSA in the US. It would be expected, therefore, that they will feel direct implications of the ‘Safe Harbour’ decision in the form of increased scrutiny by the CJEU, which could in turn impact on the EU’s securitisation policies.
Secondly, the current framework of the EU-US Shield does not address any change to the aforementioned US government practices. In late April 2016, the Article 29 Working Party, which represents data protection agencies across the EU, issued an opinion that stated that the EU-US Shield still created the possibility for bulk collection of data. The opinion is not legally binding, but paves the way for challenges to the agreement to be brought up before the CJEU if it takes effect in June as planned.
US commentators have also wondered whether the decision to overthrow Safe Harbour had more to do with knocking back powerful US tech companies in order to boost the development of the EU’s Digital Single Market. Although radical, opinions such as these may have minor implications on EU-US relations.