Sending Europeans’ data across the Atlantic is legal provided American companies commit themselves to respecting EU privacy standards.
On Thursday March 17, MEPs discussed a new mechanism for transferring data across the Atlantic with experts.
The original arrangement for transferring data to the US was known as Safe Harbour. Austrian law student Max Schrems brought a case against Facebook over violating EU privacy laws. This led to the European Court of Justice annulling Safe Harbour last year for not providing adequate protection of Europeans » personal data, especially against US surveillance activities, as revealed by Edward Snowden in 2013. The European Commission then had to negotiate a new arrangement with the US.
A new mechanism called Privacy Shield was agreed between the Commission and the US government in February to enable transatlantic data flows for commercial purposes, while at the same time ensuring that Europeans’ personal information is properly protected.
New deal fit for purpose?
Parliament’s civil liberties committee held a hearing on the new Privacy Shield arrangement with experts on Thursday 17 March. Representatives from both the Commission and the US government stressed that the new system would provide more privacy guarantees to Europeans by limiting government access to their data and allowing them to defend their rights in US courts.
Several MEPs also pointed out that the new arrangement was better than the previous one. German EPP member Axel Voss said: « Privacy Shield is not Safe Harbour because it guarantees effective protection of EU individuals’ privacy rights. » He added that the new deal would meet the concerns of the European Court of Justice because it contains clear limits on US government access to data.
German S&D member Birgit Sippel added: « I clearly see some improvements compared with Safe Harbour. » However, she expressed concerns about the possibility of bulk data collection.
Other MEPs and privacy activists participating in the hearing criticised Privacy Shield. Dutch ALDE member Sophie in ‘t Veld said she seriously doubted whether the new arrangement would provide sufficient safeguards against mass surveillance.
Max Schrems, whose case against Facebook led to Safe Harbour’s downfall, told MEPs: « We need a system that provides real protection and not just some wording that doesn’t work in practice. »
Before the deal can enter into force, the Commission needs to declare that Privacy Shield offers a sufficient level of data protection.
In addition Parliament’s consent will be needed for the umbrella agreement dealing with privacy guarantees for data transfers in the area of law enforcement. It will complement existing agreements with the US that allow access to airline passenger information (passenger name records agreement) and bank transactions (Swift/TFTP agreement).