Privacy Shield takes over from Safe Harbour

New provisions fall worryingly short of the demand for firm legal safeguards and oversight

 

The exchange of electronic data between European and US companies forms a critical part of the myriad services now delivered digitally over the internet-business valued at over $250 billion, according to US Commerce Department figures.

Until recently, companies could self-certify that they would ensure European data transferred to the US had the same protections mandated under more privacy-focused EU laws. All they had to do was sign up online to a programme called Safe Harbour, agreed between the EU and US 15 years ago.

But then came the steady dribble of disclosures from whistleblower and former US National Security Agency contractor Edward Snowden. He revealed extensive, secretive US programmes for mass surveillance and digital data-gathering, involving many of the largest American telecommunications and internet companies.

Amid heightened tensions over such spying, an Irish court case, taken by Austrian law student Max Schrems against the Irish Data Protection Commissioner, was fast-tracked to the European Court of Justice. The case centred on Schrems’ contention that Facebook – which has its European headquarters here, in Dublin – had unlawfully allowed European data to be collected by the NSA as part of the agency’s clandestine Prism programme.

In a dramatic decision, the justices sides with Schrems, invalidating Safe Harbour and leaving 4,300 companies in data protection limbo, with no easy way to certify compliance with European law.

Safe Harbour deserved to be overturned. It was little more than a box ticking exercise for companies. Neither the European Commission nor US authorities had ever shown much interest in enforcing it, and the programme had a laughable level of oversight.

But what were companies to do?

Last October, the Article 29 Working Group of European data protection authorities gave the Commission three months to come up with an alternative. But the US and EU have very different views on privacy – a fundamental right in Europe, but without constitutional protection in the US, where security often trumps privacy – making negotiations long and fraught.

That deadline came this week, and had passed, before negotiators announced a replacement proposal, called Privacy Shield. Industry lobbies, the US Chamber of Commerce, even the Irish Government rushed to welcome it in tweets and press releases. But they are jumping the digital gun.

While Privacy Shield was presented as a comprehensive new agreement, in truth it has not even been formally drafted, nor approved by the European Parliament.

Its provisions – including “written assurances” that EU data won’t be slurped by US surveillance agencies; an independent US ombudsman; and an annual review – seem to fall worryingly short of the ECJ’s demand for firm legal safeguards and oversight.

For now, Privacy Shield falls into the “something is better than nothing” camp, a bid to allow digital transfers continue. We will not know if it is Safe Harbour’s acceptable replacement until, inevitably, a new challenge is referred to the ECJ.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.