Back in October, we noted that it was a really big deal that the European Court of Justice had said that the EU/US Safe Harbor framework violated
data protection rules, because it had become clear that the NSA was scooping up lots of the data. The issue, if you're not aware of it, is that under the safe harbor framework, US internet companies could have European customers and users, with their information and data stored on US servers. Without the safe harbor framework, there are at least some cases where many companies would be forced to set up separate data centers in Europe, and make sure European information is kept there.
Many privacy activists are actually supportive of keeping the data in Europe altogether, but I still think that would be a disaster for lots of internet companies and services -- especially smaller ones. The big guys -- Google, Facebook, Microsoft, Yahoo, Twitter, etc. -- can afford to have separate European data centers. A small company -- like Techdirt -- cannot
. Requiring separate data centers and careful separation of the data would ensure less competition and fewer startups to take on the big guys. That's a problem. Beyond that, having those separate data centers could actually lead to even less privacy
in the long run, because having many jurisdictions in which data is kept means that, inevitably, some of those jurisdictions will fall into states that have even worse surveillance and fewer data protections -- and also leaves open the opportunity for different data center setups, which may lead to more vulnerabilities. Remember, when the NSA broke into Google and Yahoo's datacenters, they were the ones outside the US
, which may have had weaker security. And, despite many Europeans not wishing to believe this, many European countries have many fewer
restrictions on the kind of surveillance their intelligence agencies are able to do on local data and citizens.
issue here is mass surveillance overall. The only
real way to fix this issue is to stop mass surveillance
and go back to saying that intelligence agencies and law enforcement need to go back to doing targeted
surveillance using warrants and true oversight. But, instead, the EU and the US keep trying to paper over this by coming up with a new agreement. That agreement was supposed to have been concluded by a fake "deadline" set for yesterday, but after missing that and claiming that progress had been made on a new agreement
, a new deal was finally announced
a few hours ago, with the ridiculous name "The EU-US Privacy Shield."
Here's the key part of the announcement:
- Strong obligations on companies handling Europeans' personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
- Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
- Effective protection of EU citizens' rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
The key thing here? The claim that the US "has ruled out indiscriminate mass surveillance on the personal data transferred to the US." I'm curious about how much bullshit the NSA will be able to sneak under "indiscriminate." I'm also curious as to what kind of real oversight there will be. The EU Commission and the Department of Commerce will be able to review, but we all know how good the NSA is at hiding what it's actually doing from oversight bodies. Finally, the "ombudsperson" only matters if they have actual power, and that seems incredibly unlikely.
And as Max Schrems, who brought the original case that took down the safe harbors, is saying (over and over again), as it stands right now, it looks like this new deal will lose again in the EU courts
And that brings us back to the underlying point. The effort to kill off the safe harbor agreement wasn't really about the safe harbor agreement at all, but to force the hand of the US government (and hopefully European governments as well) to recognize that they need to stop doing mass surveillance. The claim above about no indiscriminate mass surveillance pays lip service to that idea, but there needs to be some real and concrete change to make that happen. And that's going to take more than an "exchange of letters" between the EU and the US, as the basis of this deal. It's going to need actual surveillance reform, not just the "surveillance reform lite" we saw with the USA FREEDOM Act.
Again, I think having the ability to transfer data from the EU to the US is hugely important -- which not everyone agrees with. Fragmenting the internet by requiring that data stays in certain countries seems as silly to me as geoblocking content. But the underlying issue here is not about where the data is stored -- it's about mass surveillance. Focusing the agreement on how to allow data transfers without actually tackling how to stop mass surveillance is inevitably a fake solution.