The EU has spent months negotiating a new data privacy protection agreement, called Privacy Shield, the replacement of the Safe Harbor agreement which was deemed "unlawful" by the European Court of Justice.
Privacy Shield is the proposed new deal between the EU and the US that is supposed to safeguard all personal data on EU citizens held on computer systems in the US from being subject to mass surveillance by the US National Security Agency (NSA). The data includes personal data on social media sites, as well as any transaction made between an EU citizen and any company in the US.
However, privacy campaigners say any data held on US servers can be accessed by US agencies, such as the NSA, and that the safeguards promised under Privacy Shield do not go far enough.
Now, Giovanni Buttarelli, the EDPS has said:
"I appreciate the efforts made to develop a solution to replace Safe Harbor but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court. Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it's time to develop a longer term solution in the transatlantic dialogue."
#PrivacyShield: robust improvements are needed to ensure full respect of the essence of key #EUdataP principles https://t.co/PbNV4U9Gn6
— Giovanni BUTTARELLI (@Buttarelli_G) 30 May 2016
The Privacy Shield agreement has been negotiated between the European Commission and the US and is set to be ratified by the end of June, if the Commission gets its way. However, the intervention by the EDPS is likely to stall the negotiations.
Is your online data safe? Read our blog on how MEPs scrutinise #PrivacyShield deal with US https://t.co/d1b4WbJ0i9 pic.twitter.com/cZAqs5qtAT
— European Parliament (@Europarl_EN) May 24, 2016
The agreement has been under negotiation for months ever since the because the European Court of Justice ruled in October 2015 that the previous EU-US data agreement — Safe Harbor — was invalid. The issue arises from the strict EU laws — enshrined in the Charter of Fundamental Rights of the European Union — to the privacy of their personal data.
Facebook Judgement
The Safe Harbor agreement was a quasi-judicial understanding that the US undertook to agree that it would ensure that EU citizens' data on US servers would be held and protected under the same restrictions as it would be under EU law and directives. The data covers a huge array of information — from Internet and communications usage, to sales transactions, import and exports.
#EDPS comes to the same conclusion as everyone (reasonable) did before: #PrivacyShield would not hold up at #CJEU.. https://t.co/b1yi5jiBaj
— Max Schrems (@maxschrems) 30 May 2016
The case arose when Maximillian Schrems, a Facebook user, lodged a complaint with the Irish Data Protection Commissioner, arguing that — in the light of the revelations by ex-CIA contractor Edward Snowden of mass surveillance by the NSA — the transfer of data from Facebook's Irish subsidiary onto the company's servers in the US do not provide sufficient protection of his personal data.
The court ruled that: "the Safe Harbor Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals."