deepagopi2011 - Fotolia

Misgivings rise as EU-US agreement unravels under scrutiny

Privacy Shield, the proposed replacement for Safe Harbour, looks increasingly like a PR exercise, rather than a genuine solution

The replacement for the Safe Harbour agreement, Privacy Shield, is unravelling at speed as lawyers examine it more closely.

Under the proposed agreement between the US and the EU, which is designed to legalise the transfer of data to the US from Europe, European citizens complaints’ about US mass surveillance will be adjudicated, in the US, by a US Commerce Department official.

And the agreement won’t be signed for at least three months, which means existing programmes such as Prism, a US surveillance programme widely regarded as a breach of UK law, will continue.

Stalling tactics

Simon McGarr, a Dublin solicitor who was part of the case brought by Austrian student Max Schrems that resulted in the striking down of the Safe Harbour agreement in October 2015, argued that Privacy Shield was little more than a stalling tactic.

“What we actually have here is a desperate PR effort to buy more time before the EU Commission and the US have to face the consequences of the legal incompatibility between the EU’s Charter of Fundamental Rights and the US’s commitment to mass surveillance,” he wrote in a blog post.

Privacy Shield, he wrote, is a noisy trumpet blast aimed at just one audience, designed to give the European Commission more time, before Europe’s data protection commissioners – represented by the Article 29 working party – start to enforce the law.

McGarr raised a crucial question with Computer Weekly: Why has not a single one of the group of 29 EU data controllers, including Christopher Graham the UK information commissioner, done anything to impose the law since the Schrems judgement in October last year?

That judgement, in effect, indicted the US for engaging in “indiscriminate mass surveillance” using Prism, a program used by the US National Security Agency to access the private data of UK and European citizens held by nine of the US internet giants.

Warrantless interception is a criminal offence

In April 2014, Anthony May, the then investigatory powers commissioner, told David Cameron in his annual report that “warrantless interception of emails is a criminal offence.”

The Prism program, which gives the NSA access to data held by Apple, Microsoft (including Outlook), Google, Facebook, Yahoo, YouTube, Paltalk, AOL and Skype, has not obtained warrants from any European government. Despite this, no action has been taken by any European data controller to enforce compliance.

It is unclear what final agreement – if any – may emerge as Europe and the US continue their negotiations over the substance of Privacy Shield.

Mcgarr argued that Privacy Shield could be the shortest-lived “deal” in history, “if one or more of the EU’s institutionally independent data protection authorities finally decides their job is to uphold the actual law, rather than to wait around for a new one to appear some day in the ever-receding future.”

When Schrems went back to the Irish High Court on 20 October 2015, the Irish Data Controller Helen Dixon accepted the European Court of Justice (ECJ) judgement in the court before Judge Hogan. Now Schrems is seeking enforcement orders against data controllers in Belgium and Germany to impose the law.  

The digital advocacy group Digital Rights Ireland went into the Irish High Court on 5 February, seeking enforcement of the ECJ judgement by the Irish data controller.

Dai Davis, a UK solicitor who specialises in data protection and security cases in the UK, pointed out that the Privacy Shield deal agreed between the US and Europe offers very little by way of real protection for UK and other European citizens against misuse of surveillance powers by the US.

“In the US there is no protection for European citizens or their rights in the US constitution,” said Davis. “Besides, why should someone from Manchester have to go to the US to get justice for something that happened in Manchester?”

Three questions the UK’s information commissioner needs to answer

The UK’s information commissioner, Christopher Graham, has issued no clarification on the past three months’ deliberations at the European Commission (EC). Computer Weekly put some questions to him over Privacy Shield and Prism, that were raised by Irish and British solicitors and barristers.

  1. The suggested US Ombudsman reaches none of the standards and rules set for ombudsmen by the EU. In addition, there are sovereign and jurisdictional issues in attempting to transfer fundamental rights of EU citizens to a non-EU jurisdiction for adjudication. How is this to be accomplished?
  2. The Schrems case. While the European court of justice’s ruling in the Schrems case stands and the US has not formally ended its Prism surveillance, Europe and the US cannot legally reach a new agreement. The ECJ judgement is beyond appeal, so the European Commission may find it has to seek agreement with the European Court of Justice for Privacy Shield, or risk another legal challenge. The EC would have to tackle the two key findings by the ECJ: that the Snowden revelations are true and that Prism is unlawful. Is the Commission proposing to do this?
  3. The legacy issue. Prism was used to steal data throughout Europe for seven years. What steps are to be taken to punish the perpetrators – the tech companies taking part in Prism, all of which are registered and trading in Europe – to obtain compensation for the victims and to have the stolen data returned and the data held in the US deleted?

The Information Commissioner’s Office has so far not replied to any of the questions or disclosed its negotiating stance at the meetings in Brussels.

Deja vu all over again

Max Schrems, whose case against Facebook started the whole chain of events, said the saga surrounding Privacy Shield looks like a round trip back to the European Court of Justice.

“The court has clearly stated that the US has to ensure proper protection [for European rights] by means of domestic law or international commitments. A couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million Europeans,” he said. 

Schrems is certain that Privacy Shield will itself come under scrutiny in the European Court of Justice. “There will clearly be people who challenge this. Depending on the final text, I may well be one of them.”  

Read more on Telecoms networks and broadband communications