— last modified 29 February 2016
Today, the European Commission published the “Privacy Shield” documents, which confirm that no meaningful reforms have been made and that none are planned.
In November 2013, the European Commission adopted a Communication (pdf), in which it finally recognised the failure of the EU-US data transfer arrangement – the so-called “Safe Harbour” agreement. It then started a long negotiation with the US to try to bring the agreement into line with the law. During this time, the European Commission permitted a situation to continue that it recognised as being contrary to the primary law of the European Union.
In October 2015, the Court of Justice of the EU finally invalidated the agreement. European data protection regulators set a deadline of the end of January for the adoption of a new legal framework, in the absence of which legal proceedings would start against the ongoing illegal export of EU data. In response, the European Commission announced an arrangement with the United States on a new deal, but without any documents. A new deadline was then set by European data protection regulators.
As the European Commission announced a deal when no arrangement had been negotiated, it killed off any possibility of meaningful negotiations with the USA. As a result, it was forced today to repackage the old arrangement as a new deal. Two years, three months and two days after the Commission first recognised the illegality of current arrangements, barely nothing has changed.
“The European Commission has given Europe a lesson on how not to negotiate”, said Joe McNamee, Executive Director of European Digital Rights. “This isn’t a good deal, it hardly deserves to be called a ‘deal’ of any kind.”
It is difficult to imagine how this “new” “arrangement”, based on non-binding statements from the US would be able to pass scrutiny by the Court of Justice of the EU.
Before the “negotiations”, we had a self-certification scheme and illegal, bulk data collection by US government agencies. Today, after two years of negotiations, we have a self-certification scheme and bulk data collection by US government agencies (pdf). We have an “ombudsman” who is not actually an “ombudsman”. We have an “agreement” which is not an agreement, but a unilateral decision from the European Commission to accept an unacceptable deal.
Background
- Under the 1995 Data Protection Directive, personal data can only be exported outside the EU in certain circumstances. One of these circumstances is an adequate level of data protection being provided by the recipient country, which the Court of Justice of the European Union defined as needing to have procedures that are “essentially equivalent” to the EU’s level of protection.
- As the US is an important business partner and as the US does not have comprehensive data protection legislation, negotiations led to the launch of an arrangement called ‘Safe Harbour” being agreed in 2000. Under this system, companies could “self-certify” that they complied with a set of principles that would be, in theory, under the supervision of the Federal Trade Commission.
- Under Safe Harbour, the European Parliament asked for close monitoring of the arrangement. The Commission did not deliver. There is no reason for this to change under “Privacy Shield”.
- Under Safe Harbour, the European Commission could have suspended the arragement when it was recognised that it was not working but failed to do so.
Under Privacy Shield, the European Commission promises to suspend the arrangement, if it is recognised that it is not working. What’s new?