Companies like Facebook and Google can continue transferring data from the European Union to their servers in the US under a new deal between the two governments that privacy advocates still say isn't good enough.
The agreement, known as the EU-US Privacy Shield Framework, is a new set of guidelines approved by the US Commerce Department and the European Commission today that governs data-sharing between Europe and the United States. The Privacy Shield replaces the EU's so-called Safe Harbor Decision, in place since 2000, which asserted that the US provided adequate privacy protections to meet EU standards, providing US-based tech companies legal cover for transferring data from Europe to their home servers. Last October, citing Edward Snowden's revelations about mass surveillance by US authorities, an EU court struck down the Safe Harbor Decision, a move that could have opened tech companies to investigations and lawsuits.
Under the Privacy Shield, US companies will be able to "self-certify" that they follow the privacy principles outlined in the framework. The agreement establishes an "ombudsperson" in the US State Department who will address privacy-related questions and complaints from people in the EU.
Privacy advocates say those protections are inadequate and want to see the Privacy Shield quashed. The ombudsperson will have limited power to fix problems and won't be all that independent since that person will report to the Secretary of State, argues Privacy International. Digital rights advocacy group Access Now says the Privacy Shield does little to address mass surveillance, the very concern that led the court to throw out Safe Harbor in the first place. The group says that law enforcement agencies can still legally spy on non-US citizens under Foreign Intelligence Surveillance Act. Although federal law requires some oversight over such surveillance and demands that such surveillance be "targeted," Access Now argues that EU law has a more strict definition of what counts as "targeted." Ultimately, the group says, US companies have a legal "out" when complying with law enforcement requests that runs counter to EU law.
"The final version of the text offers clarity on US surveillance practices and access to remedy for EU citizens," Access Now wrote in a statement released last week ahead of the EU Commission vote. "It however fails to address the substantial shortcomings of the agreement."
What's really needed is major reform to US privacy and surveillance laws that will curb the possibility mass surveillance of EU citizens altogether, privacy groups argue. But EU officials have already decided that the Privacy Shield is good enough. Once again, the courts will likely end up determining who's right.
