Safe Harbor Data Privacy Shield Falls Short

Lobbyists, government officials, and technology executives celebrated news from Strasbourg on Tuesday morning that the European Commission and the United States had reached an agreement to reinstate the free flow of massive amounts of data between companies in the United States and the European Union, safeguarding users’ privacy at a new level.

But while some cheered the new agreement, dubbed the “Privacy Shield,” and thanked negotiators for providing “certainty” to businesspeople who deal in big data, many were quite a bit more skeptical of its success and said they would reserve final judgment until the agreement is formally spelled out on paper, which could take weeks or months.

The Article 29 Working Party — a data protection authority set up the European Parliament — said on Wednesday morning that it was pleased an agreement had been reached, but expressed concerns about the commitment of the United States — especially regarding the scope of its surveillance activities and relevant legal remedies available to all people. The party said it would not formally weigh in until the text of the agreement surfaces, and assigned a new deadline to release it: the end of February.

The scramble to come up with a new data-sharing arrangement kicked off when the European Court of Justice (CJEU), the top court of the European Union, ruled on October 6 that the NSA’s indiscriminate overseas surveillance interfered with the “fundamental rights” of its citizens, whose data it has the responsibility to protect. The Safe Harbor agreement — the early 2000s principles agreed upon to guarantee U.S. companies were respecting European digital rights when transferring data overseas — was deemed invalid.

Austrian law student Max Schrems brought the issue to the attention of the CJEU after suing Facebook for ignoring European privacy laws when it transferred his personal data to the U.S., where he argued it was subject to collection by the NSA.

The Article 29 Working Party assigned a deadline of January 31 for negotiators to reach a new deal, threatening to unleash Europe’s Data Protection Agencies to pursue penalties against companies breaking European privacy laws. Negotiators missed the deadline by a few days, but have largely reassured the DPAs with the announcement of a new deal.

The new agreement calls for an ombudsman in the State Department to review complaints from Europeans about U.S. privacy infractions, as well as for written promises from U.S. government officials that they will not spy indiscriminately on European citizens. It also calls for yearly reviews. So far, however, there has been no mention of a deadline for Congress to reform its spying programs, including Section 702 of the Foreign Intelligence Surveillance Act, which allows the NSA to sweep up large streams of overseas digital communications with practically no privacy protections.

While agreeing that the Privacy Shield deal is important for data protection, critical observers said that the negotiations had totally missed the point, which was to encourage surveillance reform in both jurisdictions.

Jan Philipp Albrecht, a member of the European Parliament serving on the Committee on Civil Liberties, Justice, and Home Affairs, quickly lashed out at the deal, calling it “an affront to the European Court of Justice” that “foresees no legally binding improvements” to American or European spying laws.

“There has only been a political agreement on the general framework” of the data-sharing arrangement, Albrecht told me in a telephone interview. “The deadline has passed, and they have not delivered. This is not really improving the legal situation of European citizens — there’s not any change in the legal text foreseen.” He said the U.S. was only required to “make a promise that everything’s fine” and appoint “an ombudsman, who is just the messenger for answers that are the same” about U.S. policy.

Estelle Masse, a policy analyst for the Brussels-based rights group Access Now, also thought the deal was built more on politics than a genuine intention to reform.

“For months the negotiators were having political discussion about a legal question,” she wrote in an email to The Intercept. “The discussions were about whether the ruling was ‘anti-American’ or if the EU was rejecting the U.S. as a democracy. This is neither the case nor the point. As a result, what we have today is an attempt at a political fix.”

European Digital Rights plainly described Tuesday’s announcement as Europe’s “plans to back down from defending the European Court’s ruling and accept a new badly flawed arrangement.” Joe McNamee, the rights group’s executive director, predicted that the deal would be a short term stop gap: “Today’s announcement means that European citizens and businesses on both sides of the Atlantic face an extended period of uncertainty while waiting for this new stop-gap solution to fail.”

Businesses and trade groups, while feverishly releasing congratulatory press releases as the deal was announced, worried privately that they may soon be right back in the same uncertain position.

“Any risk of legal challenge is unsettling for business,” said Mike Uehlein, a spokesperson for the Direct Marketing Association, during a phone call with The Intercept. While he emphasized that the trade group is “excited [negotiators have] continued to make this a priority,” he told me that a second European Court of Justice challenge would put “everyone back in the sticky situation, wondering what’s going to happen. It has not been fun.”

Daniel Castro, a vice president at the Information, Technology, and Innovation Foundation, agreed that “uncertainty is always bad for business” but expressed optimism that good faith efforts to arrive at an agreement would likely continue. “The agreement shows that U.S. and EU policymakers are deeply committed to finding an interoperable solution.”

A Legislative Olive Branch

The Judicial Redress Act, a bill sponsored by Rep. Jim Sensenbrenner, R-Wisc., was designed to offer some limited legal remedy to Europeans who believe their privacy rights have been infringed. Many observers suggested the bill was a sign of good faith that Americans were taking European concerns seriously, even if it didn’t provide much concrete reform. But Europeans felt insulted when Sen. John Cornyn, R-Texas, and Sen. Orrin Hatch, R-Utah, tacked on amendments to the bill in the final hour attempting to limit the ability of European citizens to sue in U.S. courts when infringing on matters of national security. So far, the Redress Act has failed to pass, even as sources on Capitol Hill said the bill had been “hotlined,” or fast-tracked for a vote on Tuesday.

Even if the Redress Act had passed without the new amendments, critics say it would have been irrelevant to the core of the CJEU decision — NSA surveillance.

“The Redress Act doesn’t deal with any of the surveillance concerns in the Schrems case,” said Amie Stepanovich, U.S. policy manager for Access Now, over the phone on Tuesday. “We do think it is really important that substantive surveillance reform be put into place before [the agreement] can survive challenge. And EU member states need to take a look at their own surveillance practices.”

The Judicial Redress Act was proposed as a remedy to the Umbrella Agreement, which deals with the transatlantic transfer of private information between law enforcement agencies — not Safe Harbor.

The Redress Act and Safe Harbor “are politically tied together by Congress,” said Albrecht to The Intercept. “But in legal nature they don’t have anything to do with each other. Access to European companies’ data is not covered by this Redress bill.”

Top photo: The emblem of the European Court of Justice.