The Privacy Shield agreement has been under negotiation for months ever since the because the European Court of Justice ruled in October 2015 that the previous EU-US data agreement — Safe Harbor — was invalid. The issue arises from the strict EU laws — enshrined in the Charter of Fundamental Rights of the European Union — to the privacy of their personal data.
The Safe Harbor agreement was a quasi-judicial understanding that the US undertook to agree that it would ensure that EU citizens' data on US servers would be held and protected under the same restrictions as it would be under EU law and directives. The data covers a huge array of information — from Internet and communications usage, to sales transactions, import and exports.
The case arose when Maximillian Schrems, a Facebook user, lodged a complaint with the Irish Data Protection Commissioner, arguing that — in the light of the revelations by ex-CIA contractor Edward Snowden of mass surveillance by the US National Security Agency (NSA) — the transfer of data from Facebook's Irish subsidiary onto the company's servers in the US do not provide sufficient protection of his personal data.
The court ruled that "the Safe Harbor Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals."
The new proposed replacement — known as Privacy Shield — has been agreed after months of negotiation between the US and the EU and promises that: "for the first time, the US government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalized access to personal data […] through an Ombudsperson mechanism within the Department of State, who will be independent from national security services."
"Ombudsman" incidentally, will be official of US government. How does that qualify as "independent" scrutiny? #PrivacyShield— Sophie in 't Veld (@SophieintVeld) February 29, 2016
However, in a swift reaction to the publication of the protocol, Schrems said:
"The new deal does not even address the matter of private sector data misuse, despite the fact that there would have been much more leeway than in the government sector. There are tiny improvements, but the core rules on private data usage are miles away for EU law. This is nowhere close to 'essential equivalence' that the Court required."
— Max Schrems (@maxschrems) February 29, 2016
Citing Annex 6 of the agreement, in a letter from the Office of the Director of National Intelligence Office of General Counsel (US), Schrems highlighted the fact that the new agreement allowed for the fact that: "intelligence collected in bulk can only be used for six specific purposes: detecting and countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to US or allied armed forces; and combating transnational criminal threats, including sanctions evasion.
"Basically the US openly confirms that it violates EU fundamental rights in at least six cases. The Commission claims that there is no 'mass surveillance' anymore. It used to be the other way around. This charade is not only bluntly in conflict with the law and the Court judgement but also with the documents the Commission presented," Schrems said Monday.
Anna Fielder, chair of Privacy International said:
"It's still a half-baked agreement. The [proposed] ombudsman is based in the US equivalent of the Foreign Office. We don't know what kind of independence it will have. The [European Court of Justice in its October ruling] demanded an independent authority and this is scarcely independent. How do I know that my data has been abused?"