deepagopi2011 - Fotolia

Eurocrats clash over EU-US Privacy Shield data protection deal

There remains significant disagreement in Brussels over the EU-US Privacy Shield arrangement intended to replace Safe Harbour

European politicians and bureaucrats have clashed in Brussels over proposals for a new regime to share data with US companies.

At a hearing in the European Parliament on 17 March, negotiators from both sides of the Atlantic appeared before the Justice and Civil Liberties committee to explain why the new EU-US Privacy Shield pact is better than the now-defunct Safe Harbour agreement it is intended to replace. But many MEPs were unconvinced.

Tiina Astola, director-general for justice and consumers at the European Commission, which negotiated on behalf of the EU, defended the deal by drawing a distinction between “mass surveillance” and “bulk data collection”.

The Safe Harbour deal was thrown out in October 2015 by the Court of Justice of the European Union (CJEU), Europe’s highest court, after law student Max Schrems argued that Facebook was not sufficiently protecting his data from US intelligence agencies’ surveillance.

In a presentation, Schrems himself systematically pulled apart the Privacy Shield agreement. One of the key elements of the deal is that EU citizens can appeal to a US ombudsman if they believe their data is being abused. According to Schrems, the number of hoops that must be jumped through before even getting as far as an appeal to the ombudsman would put real judicial redress beyond the reach of ordinary citizens.

“The commission gave up way too early on Privacy Shield, before the US was even pushed to make real concessions,” he said. “It’s like the court has asked them and the US to walk a mile, but they only took a few steps. I have no idea how the commission can argue that this complies with the decision of the CJEU. Privacy Shield will never pass a critical inspection.”

Most experts expect Schrems to bring another case before the courts to challenge Privacy Shield’s efficacy. “Is the Privacy Shield Schrems-proof?” asked Dutch MEP Sophie In’t Veld.

“The parliament is being asked to take all this on trust. Well, I don’t trust the commission,” she said, before querying how the deal would stand up under a possible Donald Trump administration in the US.

Read more about EU-US Privacy Shield

One of the elements of the pact is a “presidential letter”, which In’t Veld said is far weaker than an official law. “It’s just scouts’ honour of the president – and we are expected to trust that?” she said.

Acting under-secretary of the US Department of Commerce, Justin Antonpillai, said he expected the deal to continue into the next US administration, no matter who becomes US president later this year.

Isabelle Falque-Pierrotin, head of the Article 29 Working Party – the group of all of Europe’s data protection authorities – was also sceptical. “We feel there is an absence of rules,” she said, pointing out that Privacy Shield will set a standard for adequacy decisions in other non-EU countries.

Falque-Pierrotin and the European data protection supervisor, Giovanni Buttarelli, both wanted to know exactly how independent the new ombudsman will be, since the role will be within the same US administration that runs the secret services.

Marc Rotenberg, president and executive director of the Electronic Privacy Information Center (EPIC), suggested the whole Privacy Shield deal should be delayed unless the US repeals so-called Section 702 of the Foreign Intelligence Surveillance Act (FISA) that allows spying on Europeans. Most observers feel it is unlikely the commission will take heed.

Read more on Privacy and data protection