Despite what you may have heard, there is no new “Safe Harbour” agreement to ensure that companies can transfer private user data across the Atlantic. Or at least, there’s nothing of substance on paper yet. What we do have is an agreement between negotiators in the European Union and the United States on a stop-gap measure to allow such transfers. However, this agreement — now called the “EU-US Privacy Shield” — is not likely to withstand scrutiny or legal challenge. And that means we have much farther to go before we will see a real solution to the “Safe Harbour” problem — one that can’t be fixed with a simple rebranding.
What’s happened so far
It’s been four months since the Court of Justice of the EU (“CJEU”) ruled that the previous EU-US Safe Harbour agreement is invalid and inconsistent with EU law. Europe’s data protection authorities delayed enforcement of the ruling for three months specifically to give the EU Commission the time to come up with a new arrangement that would satisfy its legal requirements. At the eleventh hour, the European Commission announced that an agreement had been reached.
As of today, there is no written agreement. Instead, the Commission has provided an outline of what it expects will be in the final text. Drafting is supposed to take place over the next few weeks.
In the meantime, it’s not clear whether the new arrangement will fix the many problems of the previous arrangement. Will it protect against government surveillance of private data? Will it provide rules for transparency, oversight, data protection, and right to redress? We don’t know yet, and neither do the EU’s data protection authorities. So they have asked the Commission to produce all documents related to the arrangement — including the rough draft of the final text — by the end of the month.
All of that said, there is one thing we can be sure of right now. Without a number of key reforms in surveillance law on both sides of the Atlantic, whatever arrangement the “Privacy Shield” sets out will be a mere political solution to a legal problem. And that means that it is unlikely to adequately protect users’ data or survive legal challenge.
Below is an in-depth look at what would actually be necessary to make an arrangement that would meet the requirements of the CJEU’s ruling, covering: 1.) reforms to surveillance law, 2.) oversight and transparency, and 3.) redress for users whose data protection rights are violated.
1.) Third party access to data (read: surveillance)
There are important surveillance reforms that are necessary to ensure users’ right to privacy. In the US, these include reform of the US FISA Amendments Act, Section 702, and Executive Order 12333.
Section 702 allows for broad surveillance of non-US persons when conducted in the United States. Despite being broadly aimed at those outside the country, and allowing surveillance without any showing of suspicion, Section 702 also impacts individuals in the US.
Surveillance certifications under Section 702 have to be somewhat targeted, but the targeting can be exceptionally broad. These certifications must be approved by the Foreign Intelligence Surveillance Act (FISA) court on a showing that an identified target is not a US person. But there is a conflict in terms. EU law prohibits “generalised, indiscriminate access”, which would include surveillance that Section 702 would classify as “targeted”. In addition, in the US, data are not considered “collected” until the information is “processed into intelligible form”. In the EU, data are considered “collected” when the information is acquired, not processed or analysed.
Executive Order 12333 governs surveillance outside of the United States. It does not require any court involvement or independent oversight whatsoever.
While the CJEU decision deals with a challenge brought by Irish High Court regarding Section 702, since the case addresses information stored in the US, where Section 702 reigns, Executive Order 12333 is also troubling.
Civil society has called for substantial legislative reforms to Section 702. It has also called on the US to officially recognise international human rights standards by requiring that all surveillance be strictly necessary and proportionate.
None of these reforms have been implemented. In fact, since the CJEU invalidated the Safe Harbour arrangement, the US Congress has done the opposite, taking steps to further erode independent oversight of government surveillance and trample upon privacy and free expression.
A written “promise” to respect rights
Instead of negotiating for reform of Section 702 or Executive Order 12333, the EU Commission relies on a set of “written assurances” from the US that “indiscriminate surveillance” will not be conducted against EU citizens via generalised access and collection of data transferred under the Privacy Shield.
Because of the word games we explain above, one could claim that this is true without any reforms whatsoever. In fact, a US Commerce Department fact sheet on the Privacy Shield does not identify new protections under intelligence operations, but instead refers to those that existed at the time the Safe Harbour arrangement was invalidated. This shell game may help to delay enforcement, but it won’t fool the CJEU or distract civil society from the real changes that are needed to enable cross-border data flows that meaningfully protect users’ rights.
Notably, during a meeting the evening before the deal was announced, Commissioner Jourová indicated that the US was ready to limit “access by public authorities to personal data transferred from Europe” only “to what is necessary and proportionate”.
That is not what is now being set forward. The US, unlike other countries, has never recognised any binding need to respect the human rights of people outside the country. If the US recognised that foreign surveillance in the EU should adhere to human rights principles, it would help address that deficiency. The draft language of the arrangement will help clarify whether the US in fact plans to recognise its human rights obligations abroad.
Access Now believes that it’s necessary for the US to make robust substantive changes to its treatment of non-US persons, and specifically changes to Section 702 and Executive Order 12333, to meet the requirements that follow from the CJEU’s decision. This would create a meaningful agreement that could withstand further legal scrutiny.
It is not only the US that will need to reform its laws. EU member states, including France and the United Kingdom, have overbroad surveillance authorities which inherently conflict with human rights, and should be modified. Without these reforms, the EU is ignoring the root causes of the problems it is seeking to address.
2.) Transparency, oversight & data protection
There were major flaws in the invalidated Safe Harbour mechanism with regard to transparency and oversight, flaws that had been on the EU Commission’s radar since 2013. Since Safe Harbour relied entirely on self-certification and self-assessment, coupled with lack of efficient controls, it failed to guarantee compliance with European data protection standards and created risks for users. Any new agreement that doesn’t, at a minimum, address these longstanding issues is indisputably deficient.
Despite the clear need to remedy these central problems, the US Department of Commerce stated in a Twitter Q&A session that the new arrangement will rely on self-certification mechanisms. Additionally, based on the information in the US Department of Commerce fact sheet, the Privacy Shield will rely on “new contractual privacy protections and oversight”, but only when data are transferred to third party. And several questions remain unaddressed, including whether the oversight and enforcement body will be independent.
Above and beyond the reforms identified by the European Commission in 2013, the CJEU ruling on the Safe Harbour also established that the protections for personal data transferred from the EU to the US should be “essentially equivalent” to those provided by the EU in the data protection framework. Practically speaking, this means that the US should adopt baseline privacy legislation upholding these rights, bringing the US in line with general government practice. But so far, the United States has pursued a sectoral approach to data protection — with separate rules for credit and banking information, health information, education information, and other specific types of user data.
The Consumer Privacy Bill of Rights proposed in 2012 establishes a framework for federal baseline privacy rules within the United States, including limits on collection, retention, and use of user data by private entities, as well as an overarching right of individual control. Since the document was published, the US Congress has not yet taken serious steps toward promulgating those provisions into law. Baseline privacy legislation has the potential to bring the US protection for users’ privacy to an “essentially equivalent” level to the one guaranteed by the EU data protection framework, as long as protections apply to US and non-US persons, and it is likely necessary to ensure legal certainty in future data transfers.
Both the US and EU member states should also make additional changes in order to protect users, including enacting strong data breach notification laws and creating vulnerability disclosure frameworks.
3.) Right to redress
Another question that we don’t have an answer for is whether the US will enact into law redress measures for Europeans. Last year, the House of Representatives passed the Judicial Redress Act, legislation that would extend certain protections in the Privacy Act of 1974 to individuals of certified countries. Passage of the Judicial Redress Act is a prerequisite to final approval of the Umbrella Agreement, a transatlantic deal that sets standards for protecting personal data when it is transferred for law enforcement purposes. The Privacy Act provides people with recourse against US federal agencies that violate their rights in handling data. While it is an important symbolic step, the Privacy Act is in practice limited by a number of exceptions. For example, “routine uses” of data are excepted and foreign intelligence collected by the National Security Agency is not covered. That means the Judicial Redress Act would not impact the surveillance programmes identified in the Safe Harbour judgment.
Last week, the Senate Judiciary Committee approved a considerably weakened version of the Judicial Redress Act. Already only a measured improvement on the status quo, the Senate version of the bill would undermine its limited benefits by requiring that the US certify that the laws or policies of countries covered by the Act do not “materially impede” US national security interests. This language would give the US government even greater power to pressure participation in programmes and data-sharing arrangements that compromise user privacy. The US House of Representatives passed a version without this requirement. While the European Commission is ignoring these developments, EU data protection authorities are not, and have been vocal in their criticism.
However, in announcing the Privacy Shield, the Commission said that EU citizens will be granted redress in case their data are abused by intelligence agencies. But we should take this with a grain of salt. This is a right not available even to US citizens. In fact, the US Department of Commerce clarified what this announcement refers to in its fact sheet, explaining that it will not be true redress, but that EU citizens will be able to “raise questions regarding signals intelligence activities relating to the Privacy Shield.”
What’s ahead? Uncertainty and legal challenge
From what we know right now, Privacy Shield will not provide the protection for human rights that were missing in the Safe Harbour agreement. Any new agreement that fails to address the CJEU’s concerns regarding data protection and surveillance will likely be invalidated, and this will create more uncertainty for companies seeking to transfer data from the EU to the US. That may no longer be the case if significant changes are made as the text as the agreement is finalised.
But if no such changes are made, the Privacy Shield will be the same old agreement in pretty new clothes.