On 29 February the European Commission published its delayed update on the Privacy Shield which will, it suggests, restore trust in transatlantic data flow. It does this via an umbrella agreement ensuring high data protection standards.
It guarantees, it says, that there will be no mass surveillance by the USA because of robust obligations placed on companies. There will be clear safeguards and transparency, effective protection of EU citizens’ rights through extended redress procedures, and annual reviews. There is the promise of an Ombudsperson.
There were lots of assurances that the security services would no longer have unbridled access to data transferred to the USA. Both sides of the Atlantic would ensure that the personal data of citizens will be fully protected. The question is whether this is hype or a genuine turn around in the USA’s attitudes.
Nowhere does it mention new laws. There are no limitations proposed on the powers of the security services. The written assurances by the President are contradicted by recent statements suggesting an increase in surveillance.
Comments on the EU’s latest press release regarding the matter have been few, and those that have surfaced have been far from supportive.
One must be careful when assesing the comments of pressure groups, and the Federation Frontier Foundation (FFF) is far from impartial but its recent destruction of the assurances in the press release is difficult to fault, at least this side of the Atlantic.
It points out that the US has not changed its procedures in any way, surely the absolute minimum required. The security services will continue with mass surveillance of data coming into the country. Whatever your personal feelings, it would seem that there is nothing in the new agreement to satisfy the criticisms which gave rise to the CJEU’s findings into security of data.
And there is more. The agreement will provide additional protection for US companies from the fall-out of mass surveillance when it should be privacy that is protected.
The FFF highlights President Obama’s comments that he “recognises that the intelligence community elements must collect bulk signals intelligence in certain circumstances in order to identify new or emerging threats and other vital national security information.” Or, to put it another way, business as usual. There are suggestions that such information will be shared with other agencies, including the FBI.
Independent oversight is the responsibility of an ombudsperson who will be part of the US State Department. Isn’t the first requirement of the role to be independent?
Much play is made of the recent extension of the Judicial Redress Act (JRA) allowing Europeans to protect their privacy rights in the US courts. Some commentators have suggested that the JRA has so many exemptions that it is practically worthless.
The agreement, which won’t become law until or if ratified by all EU states, does not appear to satisfy any of the points of the CJEU decision which caused the collapse of Safe Harbour.
It is difficult to see a way through the mire at the moment. This proposal does nothing to ensure the security of continued cross-Atlantic data transfer. What email marketing needs is legislation, not vague promises.