Lobbyists, government officials, and technology executives celebrated news from Strasbourg on Tuesday morning that the European Commission and the United States had reached an agreement to reinstate the free flow of massive amounts of data between companies in the United States and the European Union, safeguarding users’ privacy at a new level.
But while some cheered the new agreement, dubbed the “Privacy Shield,” and thanked negotiators for providing “certainty” to businesspeople who deal in big data, many were quite a bit more skeptical of its success and said they would reserve final judgment until the agreement is formally spelled out on paper, which could take weeks or months.
The Article 29 Working Party — a data protection authority set up the European Parliament — said on Wednesday morning that it was pleased an agreement had been reached, but expressed concerns about the commitment of the United States — especially regarding the scope of its surveillance activities and relevant legal remedies available to all people. The party said it would not formally weigh in until the text of the agreement surfaces, and assigned a new deadline to release it: the end of February.
The scramble to come up with a new data-sharing arrangement kicked off when the European Court of Justice (CJEU), the top court of the European Union, ruled on October 6 that the NSA’s indiscriminate overseas surveillance interfered with the “fundamental rights” of its citizens, whose data it has the responsibility to protect. The Safe Harbor agreement — the early 2000s principles agreed upon to guarantee U.S. companies were respecting European digital rights when transferring data overseas — was deemed invalid.
Austrian law student Max Schrems brought the issue to the attention of the CJEU after suing Facebook for ignoring European privacy laws when it transferred his personal data to the U.S., where he argued it was subject to collection by the NSA.
The Article 29 Working Party assigned a deadline of January 31 for negotiators to reach a new deal, threatening to unleash Europe’s Data Protection Agencies to pursue penalties against companies breaking European privacy laws. Negotiators missed the deadline by a few days, but have largely reassured the DPAs with the announcement of a new deal.
The new agreement calls for an ombudsman in the State Department to review complaints from Europeans about U.S. privacy infractions, as well as for written promises from U.S. government officials that they will not spy indiscriminately on European citizens. It also calls for yearly reviews. So far, however, there has been no mention of a deadline for Congress to reform its spying programs, including Section 702 of the Foreign Intelligence Surveillance Act, which allows the NSA to sweep up large streams of overseas digital communications with practically no privacy protections.
While agreeing that the Privacy Shield deal is important for data protection, critical observers said that the negotiations had totally missed the point, which was to encourage surveillance reform in both jurisdictions.
Jan Philipp Albrecht, a member of the European Parliament serving on the Committee on Civil Liberties, Justice, and Home Affairs, quickly lashed out at the deal, calling it “an affront to the European Court of Justice” that “foresees no legally binding improvements” to American or European spying laws.
“There has only been a political agreement on the general framework” of the data-sharing arrangement, Albrecht told me in a telephone interview. “The deadline has passed, and they have not delivered. This is not really improving the legal situation of European citizens — there’s not any change in the legal text foreseen.” He said the U.S. was only required to “make a promise that everything’s fine” and appoint “an ombudsman, who is just the messenger for answers that are the same” about U.S. policy.
Estelle Masse, a policy analyst for the Brussels-based rights group Access Now, also thought the deal was built more on politics than a genuine intention to reform.
“For months the negotiators were having political discussion about a legal question,” she wrote in an email to The Intercept. “The discussions were about whether the ruling was ‘anti-American’ or if the EU was rejecting the U.S. as a democracy. This is neither the case nor the point. As a result, what we have today is an attempt at a political fix.”
European Digital Rights plainly described Tuesday’s announcement as Europe’s “plans to back down from defending the European Court’s ruling and accept a new badly flawed arrangement.” Joe McNamee, the rights group’s executive director, predicted that the deal would be a short term stop gap: “Today’s announcement means that European citizens and businesses on both sides of the Atlantic face an extended period of uncertainty while waiting for this new stop-gap solution to fail.”
Businesses and trade groups, while feverishly releasing congratulatory press releases as the deal was announced, worried privately that they may soon be right back in the same uncertain position.
“Any risk of legal challenge is unsettling for business,” said Mike Uehlein, a spokesperson for the Direct Marketing Association, during a phone call with The Intercept. While he emphasized that the trade group is “excited [negotiators have] continued to make this a priority,” he told me that a second European Court of Justice challenge would put “everyone back in the sticky situation, wondering what’s going to happen. It has not been fun.”
Daniel Castro, a vice president at the Information, Technology, and Innovation Foundation, agreed that “uncertainty is always bad for business” but expressed optimism that good faith efforts to arrive at an agreement would likely continue. “The agreement shows that U.S. and EU policymakers are deeply committed to finding an interoperable solution.”
A Legislative Olive Branch
The Judicial Redress Act, a bill sponsored by Rep. Jim Sensenbrenner, R-Wisc., was designed to offer some limited legal remedy to Europeans who believe their privacy rights have been infringed. Many observers suggested the bill was a sign of good faith that Americans were taking European concerns seriously, even if it didn’t provide much concrete reform. But Europeans felt insulted when Sen. John Cornyn, R-Texas, and Sen. Orrin Hatch, R-Utah, tacked on amendments to the bill in the final hour attempting to limit the ability of European citizens to sue in U.S. courts when infringing on matters of national security. So far, the Redress Act has failed to pass, even as sources on Capitol Hill said the bill had been “hotlined,” or fast-tracked for a vote on Tuesday.
Even if the Redress Act had passed without the new amendments, critics say it would have been irrelevant to the core of the CJEU decision — NSA surveillance.
“The Redress Act doesn’t deal with any of the surveillance concerns in the Schrems case,” said Amie Stepanovich, U.S. policy manager for Access Now, over the phone on Tuesday. “We do think it is really important that substantive surveillance reform be put into place before [the agreement] can survive challenge. And EU member states need to take a look at their own surveillance practices.”
The Judicial Redress Act was proposed as a remedy to the Umbrella Agreement, which deals with the transatlantic transfer of private information between law enforcement agencies — not Safe Harbor.
The Redress Act and Safe Harbor “are politically tied together by Congress,” said Albrecht to The Intercept. “But in legal nature they don’t have anything to do with each other. Access to European companies’ data is not covered by this Redress bill.”
Top photo: The emblem of the European Court of Justice.
Watch what you say, now, you know that the NSA has three people full-time reading The Intercept.(:
Why Europeans would believe anything this country has to say about surveillance, I don’t know. After we’ve been caught eavesdropping on their leaders, and lying about spying on our own citizens, I guess the only explanation is that they have their own surveillance operations they don’t want exposed.
I totally agree with RB, that the non-confrontation aspect of what our agencies do is the most dangerous. How can you oppose an enemy you can’t prove and may not know is there?
Who can trust the US government or it’s agencies? If a country breaches the very foundation on which it is built – The Constitution – why should anyone have faith they will honour this agreement?
If the US government breaches the Geneva Conventions governing war activities, why should we expect compliance with this scrap of paper?
I don’t think any agreement with the USA is worth the paper it is written on, who are we going to trust – the aged, publicly exposed liar called CLAPPER?
The thing that is so dangerous about unchecked and warrantless surveillance is “non-confrontation” to the target of surveillance. Without official and overt “confrontation” judges can’t provide oversight over police, prosecutors or intelligence officials.
When the political branches are totally dysfunctional, only judges can provide proper oversight. If the target of surveillance is never confronted, he or she can’t establish “legal standing” in a court of law.
For example: surveillance blacklistees (never confronted) may never know why they lost their job, marriage or reputation. If they knew it were the FBI or MI5 that destroyed them (confrontation), the innocent targets blacklisted could then claim harm or “legal standing” in a court of law to challenge these bogus programs.
Today some (not all) cops, prosecutors or spooks, that happen to be disloyal to their oath of office, can destroy anyone for anything. Without confrontation they could use these authorities for purely petty and vindictive reasons – the boy dating the cop’s daughter, the guy dating the cop’s ex wife or simply people they dislike.
This is precisely the non-confrontational system used during the Cold War by the East German Stasi (communist secret police). This communist system resulted in one of the highest death rates in Europe during the Cold War. Famed Nazi hunter, Simon Weisenthal, once said this non-confrontational domestic spying or blacklisting by the Stasi was far worse than the tactics of the Gestapo during World War Two. It destroys innocent people using covert tactics, essentially torturing them until they commit suicide.
The bureaucrats in that perpetrate this type of torture and war crimes take no responsibility for the consequences of their actions and since it happens over years and decades, many seem to be totally clueless about the role they play. Today the United States has embraced this communist model of domestic spying – most of their crime victims aren’t aware the U.S. government is behind it.
“Confrontation” acts as a deterrent to prevent this type of war crime. Judges should loudly demand that surveillance targets be confronted within months, not decades, after bogus surveillance programs are initiated. The result is death of many innocent people.
Very true RB.
We must accept the fact that EU is not in possession of its own rights as a geopolitical power. We ARE an american province. We are loosing billion of euros cause of the sanctions against Russia, but those sanctions are imposed by Washington that has little commercial exchange with Russia. We must buy F-35 plane fighters, but those aeroplanes are not tecnologically overdue in respect to sukhoi-35 and even the old eurofighter. We must accept TTIP even if this means that we are giving our own sovereignty over to American authorities.
George Orwell never ever could imagine such fictional plot.
It is interesting to see how attention is drawn away from US reform (June 2, 2015) and on to the European stage. With data shooting all around the world, regardless of where it is created, I think it will be hard to provide net security to people in the next decades without any changes in data itself. Instead of working out new legal structures it would far more effective to start thinking about “general and effective encryption”. While I know this is practically far less feasible on a large scale than adatpting or creating legislation, it would provide a real answer to any actor, state or non-state, who seeks to undermine our inherent privacies. However, as a “province” the EU is not in any position to be making such bold statements. Provinces are as provinces do… they follow.
PS: just yesterday the US stated it will be increase the amount of ammunition stored in the Zutendaal miltary base Belgium. Indeed, defense is on the rise again in Europe; let’s hope it is not a foreboding.
There’s more than enough data for everybody. So it’s nice they’ve stopped fighting and have agreed to share.
The EU has accepted in the past that US companies can regulate and police themselves, since Europe doesn’t have the resources to do this. So US companies just need to make a clear statement that they will respect the privacy rights of Europeans, just as much as the US government respects the Fourth Amendment rights of Americans.
Thanks for the great articles from all of you reporting here. Its feels great taking in a breath of reality weekly, reading here. Its my decision to chose who i believe tells it in its most un-biased form. You guys seem to hit it pretty close. You have your side, the facts and names of sources which they come from. Twitter has opened up with info (true purpose behind policy/interests of the many not considered/suffering for profit) from all over the web and “posted” by You, WiLk, JA, ES, GG, etc. Change is coming for better AND worse i believe, being informed helps avoid the latter… i believe.
Thanks again