A new transatlantic data agreement will put a senior American diplomat in charge of investigating alleged breaches by US intelligence agencies, and the deal will not allow EU citizens to claim financial damages for violations of their privacy.
The long-awaited release of the so called “Privacy Shield” follows more than two years of negotiations and a 2015 move by the European Court of Justice to invalidate the long-running “Safe Harbour” agreement — used by companies ranging from Facebook to Google — that had governed the treatment of transatlantic data flows.
The new agreement was negotiated in the context of the growing suspicion of the US in many parts of the EU following the 2013 revelations by the now exiled whistleblower Edward Snowden, of widespread US snooping.
As part of the new deal, a top US intelligence official has sent a signed letter to Brussels vowing not to trample on the rights of EU citizens. But this compromise is already facing criticism from privacy activists who have been calling for much stricter standards, arguing that such a signed pledge was legally worthless.
The “Privacy Shield” still faces a number of hurdles in the EU, with data protection agencies from the bloc’s 28 member states still needing to sign off on the deal and a future challenge before the ECJ already expected.
European data protection authorities will be able to suspend data transfers to the US if they detect any violations under the new rules. Regulators are likely to examine the continued “bulk” collection of data from EU citizens by US spies, which was one of the reasons behind the decision to strike down the original “Safe Harbour”.
Both EU and US officials claim that the agreement is a major achievement that will strengthen privacy protections and force any organisation online to commit to more stringent standards and reporting requirements over how it protects the personal details of users. They also claim it addresses the concerns raised by the ECJ.
“The EU-US Privacy Shield is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic,” US Secretary of Commerce Penny Pritzker said in a statement, citing the $260bn in digital services trade done across the Atlantic annually.
Like Safe Harbour, the new agreement would allow companies and other organisations to self-certify that they are in compliance. But it sets stricter requirements for the use of third-party agents and also creates a mechanism for it to be updated annually that officials on both sides of the Atlantic hope will allow them to react better to technological changes and any concerns.
“As eager as businesses are for a replacement mechanism to be adopted, no one is going to want to invest the time and effort involved to self-certify and comply with the new commitment if it is simply going to fall over at the first challenge,” said Paula Barrett, partner at law firm Eversheds.
Also among the new features are a special arbitration mechanism that would allow individuals to raise complaints and a new US watchdog, or ombudsperson, to respond to complaints from EU citizens who fear they have been targeted unfairly by US intelligence agencies.
Both of those new mechanisms are likely to be seen as relatively weak, however, from the standpoint of EU citizens based on the description contained in the documents released on Monday.
To gain access to arbitration EU citizens would have to raise any problems with companies and local authorities first. Should an issue get to arbitration a Privacy Shield Panel would only have the right to order a violator to fix the issue related to an individual. It would not have the ability to order any damages or even the payment of court costs.
“These are the only powers of the arbitration panel with respect to remedies,” the annex describing the arbitration system states. “No damages, costs, fees, or other remedies are available.”