The new data agreement was brought about because the European Court of Justice ruled in October 2015 that the previous EU-US data agreement – Safe Harbor – was invalid. The issue arises from the strict EU laws – enshrined in the Charter of Fundamental Rights of the European Union – to the privacy of their personal data.
Goodbye #SafeHarbour! Follow press on new EU-US data protection framework agreed. Press conf live @ 16.30CET https://t.co/qq0qTiipUr
— Věra Jourová (@VeraJourova) February 2, 2016
The Safe Harbor agreement was a quasi-judicial understanding that the US undertook to agree that it would ensure that EU citizens’ data on US servers would be held and protected under the same restrictions as it would be under EU law and directives. The data covers a huge array of information – from internet and communications usage, to sales transactions, import and exports.
.@EU_Commission and US agree on new framework for transatlantic data flows: EU-US #PrivacyShield https://t.co/O53ltFMWFl
— EU Justice (@EU_Justice) February 2, 2016
The case arose when Maximillian Schrems, a Facebook user, lodged a complaint with the Irish Data Protection Commissioner, arguing that – in the light of the revelations by ex-CIA contractor Edward Snowden of mass surveillance by the US National Security Agency (NSA) – the transfer of data from Facebook’s Irish subsidiary onto the company’s servers in the US does not provide sufficient protection of his personal data.
Hard not to feel that @maxschrems has a point here. https://t.co/4YeDDoRTV0 pic.twitter.com/vNXDXm0f04
— John Halton (@johnhalton) February 2, 2016
The court ruled that the Safe Harbor Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.
Privacy Shield
The new proposed replacement – known as Privacy Shield — has been agreed after months of negotiation between the US and the EU. It promises "stronger obligations on companies in the US to protect the personal data of Europeans and stronger monitoring and enforcement by the US Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities".
CJEU: "access on a generalised basis to communications" violates Fundamental Rights
— Max Schrems (@maxschrems) February 3, 2016
— v-#PrivacyShield / #SafeHarbor pic.twitter.com/TBceqgY16o
If an EU citizen considers that their data has been misused under the new arrangement, they can have their complaint referred to the US Department of Commerce and the Federal Trade Commission, or to an Alternative Dispute resolution system. The US has also promised to appoint an ombudsman to oversee the system.
However, Anna Fielder, chair of Privacy International said:
"It’s still a half-baked agreement. It is slightly different to Safe Harbor, but they seem to have spent more on a logo than on the actual substance. We think it will be subject to further legal challenges. It’s an agreement in principle and we don’t think it will work."
"The [proposed] ombudsman is based in the US equivalent of the Foreign Office. We don’t know what kind of independence it will have. The [European Court of Justice in its October ruling] demanded an independent authority and this is scarcely independent. How do I know that my data has been abused?" she said.