A controversial, over decade-old arrangement used to transfer data of European citizens to US companies such as Facebook appears soon to be replaced: The draft text of the EU-US Privacy Shield, the data regulation pact rushed through to substitute the contentious Safe Harbour agreement, was published on Monday.
Safe Harbour has faced renewed scrutiny since the 2013 Snowden revelations, and a new agreement has been anticipated for months. But surveillance law experts, as well as Max Schrems, who brought on challenges against Safe Harbour in the first place, say that the EU-US Privacy Shield doesn't solve key privacy problems, and that it still facilitates mass surveillance.
"My first impressions are simple: it doesn't even try to deal with the fundamental issues that the Schrems ruling brought up," Paul Bernal, a lecturer in law at the University of East Anglia (UEA) with a focus on surveillance legislation, told Motherboard in a Twitter message.
Bernal referred to Schrems' initial action against Safe Harbour data sharing, which triggered the change to data-sharing rules. In short, Schrems filed a complaint with Ireland's Data Protection Commissioner (DPC) in 2013 over concerns that data from Facebook could ultimately end up in the hands of the US National Security Agency (NSA). That case made its way to the Court of Justice of the European Union (CJEU), which found that Safe Harbour was "invalid," the strongest possible ruling it could give.
In the wake of that move, regulators have feverishly looked for another solution, and the EU-US Privacy Shield is the product of months of negotiations between lawmakers on both sides of the Atlantic.
"Protecting personal data is my priority both inside the EU and internationally," Commissioner Věra Jourová from the European Commission said in a statement. "The EU-US Privacy Shield is a strong new framework, based on robust enforcement and monitoring, easier redress for individuals and, for the first time, written assurance from our US partners on the limitations and safeguards regarding access to data by public authorities on national security grounds."
The changes include a new ombudsman, which would act as a point of call for Europeans if they felt that their data protection rights were being violated by American agencies. An FAQ published by the European Commission says that Privacy Shield will put "stronger obligations on companies in the US to protect the personal data of Europeans," as well as more monitoring and enforcement from the US Department of Commerce and Federal Trade Commission.
But experts say that the draft doesn't deal with one of the same fundamental problems that affected Safe Harbour.
"It relies far too much on 'assurances' from the US authorities, and on an interpretation of 'mass surveillance' that is at odds with both the CJEU and reality—that surveillance only happens when data is 'accessed' rather than when gathered," Bernal continued.
"That's part of it, but the biggest part is that it still allows indiscriminate and mass gathering of data. Even the assurances only relate to accessing of data, as far as I can see," Bernal said.
Schrems characterized the new draft as essentially too similar to Safe Harbour.
"They put ten layers of lipstick on a pig but I doubt that the Court & [data protection authorities] suddenly want to cuddle with it," he tweeted.
Bernal concurred. "I don't see what's really different about the Privacy Shield from the old Safe Harbour other than presentation and paperwork," he said.