Europe and US strike post-Snowden data transfer deal: Privacy Shield

The US and Europe have reached a new agreement they hope will once again legalise personal data transfers across the Atlantic. Critics however think it won’t stand up to a court challenge.

Privacy Shield is the name of the new deal reached between European and US negotiators on Tuesday that both sides hope will facilitate the legal transfer of personal data across the Atlantic ocean.

The agreement is meant to replace, Safe Harbour, which was ruled illegal in October by the European Court of Justice for having done little in its 15 year existence to protect Europeans from mass surveillance through programs such as the NSA’s PRISM.

The European Commission said on Tuesday that a new framework based on written promises from the US will protect the fundamental rights of Europeans and hence offer legal certainty for businesses.

Key to Privacy Shield are “stronger obligations” on US companies to protect Europeans’ personal data and closer monitoring by the US Department of Commerce and Federal Trade Commission.

“For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms,” said EC commissioner of justice, Věra Jourová.

“In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments."

The US government has provided “written assurances” that its agencies’ access to data will will be subject to limitations, safeguards and oversight. That oversight includes a joint EU-US annual review and a new Ombudsperson who will handle complaints about US surveillance, while European data protection authorities can refer complaints to the US authorities.

Though the final text of the agreement hasn’t been settled yet, critics say that what’s known about it likely won’t stand up to a challenge in European courts, in part because nothing appears to be legally binding. Europe’s data protection authorities will have a chance to make amendments to the arrangement in coming days.

Read more: ​How cybercriminals are exploiting DNS vulnerabilities for disruption and profit

Max Schrems, the Austrian law student whose case against Facebook brought down the Safe Harbour scheme, said the new deal offered Europeans little improvement.

“With all due respect, but a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance,” said Schrems.

“I doubt that a European can walk to a US court and claim his fundamental rights based on a letter by someone,” he added.

Jan Philipp Albrecht, Green home affairs and data protection spokesperson, called the new framework a “reheated serving” of the old Safe Harbour.

Read more: ​Federal government escalates AFP email scam warnings

“The proposal foresees no legally binding improvements. Instead, it merely relies on a declaration by the US authorities on their interpretation of the legal situation regarding surveillance by US secret services, as well as the creation of an independent but powerless Ombusman, who would assess citizens' complaints. This is a sellout of the fundamental EU right to data protection,” said Albrecht.

Others, however, are cautiously optimistic. Microsoft’s chief legal counsel Brad Smith called the deal a “vital step in maintaining data flows and strengthening confidence in the cloud.”

Participate in CSO and Gigamon's survey on Security Priorities today!

Go into the draw for a chance to win an Apple iWatch Sports or the equivalent of $500 Visa Cashcard.

For full terms and conditions click here.

Start survey NOW!


Join the CSO newsletter!

Error: Please check your email address.

Tags Federal Trade Commissionpost-Snowden data transfereuropeframeworkSafe HarbourAtlanticOmbudspersonCSO AustraliaPrivacy Shield

More about AppleAtlanticCSODepartment of CommerceEUEuropean CommissionFacebookFederal Trade CommissionGigamonMicrosoftNSAVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place