Natalia Merzlyakova - Fotolia

EU-US Privacy Shield: Can written assurances adequately protect EU data from US snoops?

Privacy campaigners have been quick to question whether Safe Harbour’s replacement will be looked on favourably by the European Court of Justice

This article can also be found in the Premium Editorial Download: Computer Weekly: How AstraZeneca saved $350m by insourcing IT

Safe Harbour’s successor, the EU-US Privacy Shield, has been weighed up and found wanting by privacy campaigners, who fear the proposed data-transfer agreement may not stand up to legal scrutiny by the European Court of Justice (CJEU).

The European Commission (EC) has been working with US lawmakers to develop a replacement for the Safe Harbour transatlantic data-transfer agreement since it was ruled invalid by the CJEU in October 2015.

The result of these discussions is the EU-US Privacy Shield, which is expected to come into force in three months’ time, the EC said.

For that to happen, the agreement’s content has to pass muster with the Article 29 Working Party, an affiliation of the data protection authorities of all 28 EU member states.

The working party has given the EC and the US until the end of February 2016 to provide a complete breakdown of how the Privacy Shield will work, and stated formally that anyone attempting use Safe Harbour to transfer data back to the US is now breaking the law.

It also warned organisations using alternative data-transfer mechanisms – including standard contractual clauses and binding corporate rules – that permission to use these could be revoked by the end of February.

Apart from a new name, a logo and some lofty declarations about how the EU-US Privacy Shield is a “significant improvement” on Safe Harbour, only scant details about how it will work were outlined at the launch of the new-look data-transfer regime on 2 February.   

These include the fact that the agreement will be subject to annual reviews – unlike Safe Harbour – and be supported by the work of a “functionally independent” ombudsman for European citizens who fear their data has been accessed unlawfully by US authorities.

Safe Harbour 2 and its shortcomings

Given how short on detail the announcement was, many industry watchers have described it as a ruse by the EC and the US to buy more time to flesh out the details of the Safe Harbour alternative, as the Article 29 Working Party initially gave the pair until 31 January to do so.  

Frank Jennings, a partner specialising in cloud and technology commercial contracts at legal firm Wallace, told Computer Weekly he shares this view.

“The main driver over the timing of the announcement was the enforcement deadline set by the Article 29 Working Party,” he said. “This has bought some time while the detail is finalised.

“The European Commission has to prepare a draft adequacy decision for consideration by the Article 29 Working Party and the US still needs to set up the monitoring mechanisms and an ombudsman.”

During the 2 February press conference, Andrus Ansip, EC vice-president in charge of the Digital Single Market, promised European citizens that the EU-US Privacy Shield would protect them from “indiscriminate mass surveillance” by the US government.  

He said the EC has received “written assurances” from the US government to this effect, but concerns about how watertight these penned declarations are likely to be are already starting to mount up.

A history of Safe Harbour

The Safe Harbour agreement was the legal mechanism previously used by thousands of US companies to transfer data belonging to European citizens to the US, before it was struck down by the CJEU last October following a legal challenge by Austrian legal student Max Schrems.

The CJEU backed Schrems’ assertion that Safe Harbour did not adequately protect the data of European citizens from the mass surveillance activities of the US government, which, in turn, were uncovered by NSA whistleblower Edward Snowden in 2013

In this context, the problem that many people have with the EU-US Privacy Shield’s “written assurances” is whether or not these would be considered “adequate protection” from the US government’s mass surveillance activities.

Former EC vice-president Viviane Reding, who previously spearheaded a review of Safe Harbour in response to Snowden’s 2013 revelations, has already aired concerns about the shape of its replacement is taking.

“The new text is disappointing,” she said. “The commitment to limit mass surveillance of EU citizens is ensured only by a written letter from US authorities.

“Is this sufficient to limit oversight and prevent generalised access to the data of EU citizens?  I have serious doubts if this commitment will withstand a possible new examination by the European Court of Justice.”

Alexander Hanff, CEO of civil liberties advisory group Think Privacy, shares Reding’s misgivings, saying that although the US government’s Foreign Intelligence Surveillance Act (FISA) remains in place, these penned declarations are “not worth the paper they are written on”.

FISA is a piece of federal legislation that allows the US government to covertly keep tabs on people suspected of spying on the US for overseas governments or intelligence agencies, as long as the Foreign Intelligence Surveillance Court (FISC) gives it permission to do so.

“We are supposed to believe that the very same agencies and the very same political machine that has been spying on the world’s digital communications for over a decade will now suddenly stop spying on Europeans because the European Commission has asked them to?” said Hanff. “It is preposterous to even suggest such a thing, let alone do so with a straight face.

“It doesn’t matter how many ‘assurances’ the US gives the EC, the very fact that the FISC exists and issues secret orders under FISA renders them into nothing but fantasy.”

Hanff has already written to the Article 29 Working Party outlining his concerns about the Privacy Shield’s reliance on written assurances over mass surveillance. He calls on the working party not to “entertain the notion that such an agreement is either legally secure or honest”.

He then signs off by asking Isabelle Falque-Pierrotin, chair of the Article 29 Working Party, to make sure the existence of FISA and FISC are communicated to other members of the party, along with the risk they pose to ensuring that the EU-US Privacy Shield can make good on its promise of protecting citizens from snooping.

“We simply must not allow a lie (for this Privacy Shield is exactly that) to replace a lie (which Safe Harbour was) in order to maintain the status quo and pander to the economic interests of the US technology sector,” Hanff wrote.

“The deal is bad for EU citizens and it is bad for the EU economy. It must not be accepted.”

Written assurances vs legal protections

Max Schrems released a statement following the EU-US Privacy Shield announcement, also focusing on whether a written declaration would be enough to satisfy the CJEU.

“A couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance,” said Schrems.

“We don’t know the exact legal structure yet, but this could amount to disregarding the CJEU’s judgment. The court has clearly stated that the US has to ‘ensure’ proper protection by means of ‘domestic law or international commitments’.”

Read more about Safe Harbour and the EU-US Privacy Shield

However, Daniel Hedley, an associate at legal firm Thomas Eggar, said that until the full details of EU-US Privacy Shield are made public, it is difficult to decide exactly how the CJEU will view the finished article.

“The CJEU’s judgment was based in large part on a finding that the US did not provide equivalent protections in law,” Hedley told Computer Weekly. “So I think we can at least say that the Privacy Shield’s legal status and enforceability are going to be critical to its success or failure.

“That is, whether or not these ‘written assurances’ provided by the US government amount to real binding rights and obligations giving European equivalent data rights, and whether the proposed enforcement mechanisms have real teeth.  At the moment, with the information we have, we just can’t tell if that is the case or not.”

Until the EU and US lawmakers present the EU-US Privacy Shield proposition in full to the Article 29 Working Party at the end of February, it is difficult to say with any degree of certainty whether the CJEU would uphold any legal challenges against it, said Hedley.

And, it seems, there will be no shortage of candidates willing to put it to the test once the full details are known. 

“I am not sure if this system will stand the test before the Court of Justice,” Schrems said, in his post-announcement statement. “There will clearly be people who will challenge this; depending on the final text, I may well be one of them.”

Read more on IT legislation and regulation