The United States and the European Union are about to reach a new privacy agreement intended to replace the old Safe Harbor agreement that came under intense scrutiny after the Snowden leaks revealed the scope of NSA’s data collection operations.
The new Privacy Shield was published in full a few days ago, showing the principles that would govern the exchange of digital information between EU consumers and U.S. companies. However, the new agreement also has provisions that explain how and when the NSA can continue bulk data collection in the region.
The full text of the Privacy Shield agreement was released, BetaNews reveals, and it’s available at this link. As Ars Technica reports, the NSA will continue to have broad powers in certain cases regardless of the concerns voiced by privacy advocates.
The deal is important for both sides, as virtually all data exchanges between the two regions will depend on this particular law. The new framework “underpins $260 billion in digital services trade across the Atlantic,” U.S. Secretary of Commerce Penny Pritzker said, reminding everyone that the two sides worked for more than two years on developing “a modernized and comprehensive framework that addresses the concerns of the European Court of Justice and protects privacy.”
Issued in January 2014, Presidential Policy Directive 28 (PPD-28) explains the cases where spy agencies can collect data in bulk from European users. That list covers six specific activities: “detecting and countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to U.S. or allied armed forces; and combating transnational criminal threats, including sanctions evasion.”
“Basically, the US openly confirms that it violates EU fundamental rights in at least six cases. The Commission claims that there is no ‘bulk surveillance’ any more, when its own documents say the exact opposite,” privacy activist Max Schrems said. The previous Safe Harbour framework was struck down by the Court of Justice of the European Union (CJEU) a few years ago following a complaint by Schrems.
Ars further points out that the U.S. is about to allow the NSA to share data originating from private communications it intercepts with other agencies, including the FBI and the CIA. These are the sort of details privacy advocates will inevitably address in future complaints.
Even so, the new Privacy Shield act is also supposed to provide ways for EU citizens to inquire about the way their personal data is handled by U.S. intelligence agencies. An Ombudsperson will deal with complaints from the EU, and will be attached to the Department of State as well as being “independent from national security services.”
Additionally, President Obama signed the U.S. Judicial Redress Act last week that will “give EU citizens access to US courts to enforce privacy rights in relation to personal data transferred to the U.S. for law enforcement purposes. The Judicial Redress Act will extend the rights U.S. citizens, and residents enjoy under the 1974 Privacy Act also to EU citizens.”
EU citizens looking to address complaints related to how U.S. companies handle their data can also work with their national data protection authorities – a visit to a lawyer is definitely advised if you’re about to go down this route.
The Privacy Shield proposal hasn’t been signed yet. The next step is for a committee composed of representatives of the Member States and the EU Data Protection Authorities (Article 29 Working Party) to give their opinions on the matter before a final decision is reached.