Privacy Shield is the proposed new deal between the EU and the US that is supposed to safeguard all personal data on EU citizens held on computer systems in the US from being subject to mass surveillance by the US National Security Agency. The data can refer to any transaction — web purchases, cars or clothing — involving an EU citizen whose data is held on US servers.
Human rights campaign groups say Privacy Shield — which replaces the Safe Harbor agreement ruled unlawful in October 2015 — does not meet strict EU standard on the use of personal data. Privacy International's Legal Officer Tomaso Falchetta blogged:
"There are no meaningful legal protections, and therefore any promises today can be easily be undermined tomorrow. The safeguards relating to unlawful surveillance, particularly mass surveillance, by US intelligence agencies continue to not contain meaningful legal protections."
The agreement has been under negotiation for months ever since the because the European Court of Justice ruled in October 2015 that the previous EU-US data agreement — Safe Harbor — was invalid. The issue arises from the strict EU laws — enshrined in the Charter of Fundamental Rights of the European Union — to the privacy of their personal data.
The Safe Harbor agreement was a quasi-judicial understanding that the US undertook to agree that it would ensure that EU citizens' data on US servers would be held and protected under the same restrictions as it would be under EU law and directives. The data covers a huge array of information — from internet and communications usage, to sales transactions, import and exports.
The case arose when Maximillian Schrems, a Facebook user, lodged a complaint with the Irish Data Protection Commissioner, arguing that — in the light of the revelations by ex-CIA contractor Edward Snowden of mass surveillance by the US National Security Agency (NSA) — the transfer of data from Facebook's Irish subsidiary onto the company's servers in the US do not provide sufficient protection of his personal data.
The court ruled that: "the Safe Harbor Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals."
Privacy Shield promises that: "for the first time, the US government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalized access to personal data […] through an Ombudsperson mechanism within the Department of State, who will be independent from national security services. "
However, Privacy International's Tomaso Falchetta said:
"The proposed Ombudsperson lacks independence from the executive, as he/she is appointed by and report to the Secretary of State. Contrary to assertions in the draft EU Commission adequacy decision, the independence and impartiality of such a mechanism, including the perception of such independence, is questionable."