Many suggested that a replacement for the defunct Safe Harbour would require major changes in the ethos of the USA security services and so was unlikely to come to fruition. The short deadline given to the committee tasked with producing its replacement merely exacerbated the problems. But to defy the nay-sayers, we have the proposed Privacy Shield, all but ready to go before the EU.
Were those who suggested it was impossible, which included me, proved wrong by the last week’s press release? Time will tell of course, but the portents do not look good.
In essence the problem is that the American security services have free rein to collect personal information from data, such as email marketing lists, coming into the USA. Whilst there are promises of change, there appears to be no new limitations on the powers of the security services.
A fully functioning replacement for Safe Harbour which would take on board the CJEU’s concerns was a big ask. Two things were needed: a fundamental change in the attitude of the US security services and also protective legislation.
Have we got both, either, or neither?
Privacy Shield promises an ombudsperson (what’s wrong with ‘ombud’?). We are offered written assurances by the President. We have redress if privacy has been breached. Is this enough to satisfy the legal points raised by the CJEU?
These assurances seem thin on investigation.
The ombudsperson is hardly independent. As part of the state department, one might consider the position open to pressure. They will have no power to impose changes. It would appear an apology might be the best we can hope for.
The President has recently stated that the security services must be able to collect bulk signals if they feel the necessity. This tends to contradict the written assurance.
Opening the Judicial Redress Act to the foreigner seems like step in the right direction, as it is riddled with conditions it is virtually useless.
Without legislation limiting surveillance, Privacy Shield is transparent. For email marketing to flourish, we need new laws. The problem is differing attitudes of the EU and the USA to privacy and the Privacy Shield hardly addresses this.