On July 12, 2016, the European Commission adopted the Privacy Shield: new regulations on the transfer of data between the EU and the USA. The agreement became fully operative on 1 August. But what exactly is it? We shall attempt to take stock of what has been defined as the “selling out of European rights to the USA”.
No longer (Un)Safe Harbour
Before the Privacy Shield there was Safe Harbour, a decision by the European Commission requiring participating American companies to adhere to European norms on privacy – or rather, watered down versions thereof. The decision actualised EU directive 95/46, which went into effect in October 1998, on the protection of personal data and was intended to prevent the accidental loss or revelation of data. A necessary move seeing as European law does not allow the transfer of European data to countries with less rigorous privacy laws than those of the Union.
It involved more than 4,500 American companies – first and foremost those active in Internet business like Facebook and Google – which, in order to participate in the programme, had to self-certify the following seven principles:
- Individuals must be informed that their data is being collected and how it will be used. The organization must provide information about how individuals can contact the organization with any inquiries or complaints;
- Individuals must have the option to opt out of the collection and forward transfer of the data to third parties;
- Transfers of data to third parties may only occur to other organizations that follow adequate data protection principle;
- Reasonable efforts must be made to prevent loss of collected information;
- Data must be relevant and reliable for the purpose it was collected
- Individuals must be able to access information held about them, and correct or delete it, if it is inaccurate;
- There must be effective means of enforcing these rules.
In reality, however, Safe Harbour did not protect data privacy; on the contrary, the decision made it impossible for European citizens to protect their rights from American companies. The simple existence of the Safe Harbour Decision and a company’s position within it blocked, in fact, any kind of investigation by a national supervisory authority against an American company.
The case against Facebook and the Schrems decision
The extremely important decision of the EU Court of Justice invalidated Safe Harbour in early October 2015. Indeed, the CURIA accepted the complaint filed by Austrian citizen Max Schrems (and 25,000 other users) accusing the United States of mass surveillance through American companies on the web. This was a genuine “case against Facebook” brought before the Irish Data Protection Commissioner in which it was declared, thanks to Edward Snowden’s revelations regarding American intelligence services, that the laws of the United States did not offer adequate protection against data collection by the public authorities on data transferred to the USA. The Irish authorities, however, dismissed the claim, maintaining that the European Commission had already verified the guarantee of an adequate level of data protection on the part of the United States within the framework of Safe Harbour.
Nevertheless, the CURIA held that the existence of a decision by the Commission according to which a third country guaranteed an adequate level of protection of personal data could not exclude nor diminish the powers of national supervisory authorities. And, even more significantly, the Court declared the Safe Harbour Decision invalid, stating that it did not, in the end, impede public authorities in the United States from interfering with people’s fundamental rights.
In short: a true example of “European judges going to bat against American surveillance, Facebook and other tech giants”.
The new Privacy Shield, and why it’s not enough
After two years of negotiations, on February 2, 2016, a new accord was announced between the EU and the USA concerning the protection of personal data on-line: the new Privacy Shield became officially operative this past summer.
But what exactly does the agreement provide for and, above all, can it really be efficacious in the protection of the digital privacy of European citizens at the moment their personal data travels from European servers to servers in the United States (as in the case of Facebook, Amazon, Google, Twitter and an infinite number of other online services)?
This new agreement provides for a series of measures that must be subjected to constant tests and updates (the first is expected at the end of the year). Authorities in the USA and the EU together must monitor the execution of the shield, completing analyses with the aid of both intelligence and data protection experts from both sides; the USA is expected to execute controls and penalties for those who do not respect the rules.
The new agreement has three fundamental points:
- Obligations on the processing of data for businesses;
- (Generally) no mass surveillance;
- Right of appeal and access to an ombudsman.
Indeed, very strict guidelines for businesses that want to access the personal data of European citizens have been introduced and contain strict penalties and inclusion on a “black list” in the case of infractions.
But there are not only rules for private companies. Among other things, the agreement affirms the prohibition of indiscriminate surveillance on the part of national intelligence agencies – even if in some cases there is a margin as far as data collection in specific cases is concerned. In other words, it is not illegal for public security authorities to access private data for reasons of national security but, at least in theory, it is subject to strong limitations.
In the case of violations, in any event, European citizens possess the right and means to appeal: the agreement regulates the possibility of free access to an alternative procedure of resolution and the direct intervention of national authorities on data protection (a role which in Italy is fulfilled by the Italian Data Protection Authority), as well as the creation of an ad hoc ombudsman.
So it goes in theory in any event. In practice, however, the “shield” has already been criticised by many parties: though criticised for its weaknesses by both the European Parliament and the European Data Protection Supervisor Giovanni Buttarelli even while only in its drafting phase, today the agreement has been designated as absolutely inadequate by non-governmental organisations and activists like EDRi, Privacy International, Access Now and the by-now-famous Max Schrems.
They all underline the fact that the agreement is, in fact, unclear but, above all, how the procedures are extremely muddled and how far too many elements have been left up to the discretion of the authorities directly involved. In addition, they highlight the grave inadequacy of the fragile mechanisms of legal protection and, especially, the profound questionability related to the impartiality of the newly-established ombudsman.
To sum up: a lot of words, but when it comes down to it, the Privacy Shield appears to do little to effectively improve the protection of our online data. Furthermore, it seems to be a rather mediocre text riddled with “surveillance holes”, which no doubt will see many upcoming legal battles. The struggle to protect our online privacy seems destined to remain a long one.
Cover Photo: Yuri Samoilov / Flickr Creative Commons