Wednesday

21st Oct 2020

Privacy Shield will not survive legal challenge, says Schrems

  • Max Schrems (left) and Jan Albrecht (right) during an earlier meeting in the European Parliament. (Photo: Martin Hanzel)

Austrian activist Max Schrems reckons the latest data-sharing deal between the EU and US unveiled on Tuesday (12 July) is vulnerable to legal challenges, and will not last long.

“The European Commission is jumping from one ice-floe to another. It knows it will sink sooner or later, but keeps jumping in the meantime," Schrems told journalists at the European Parliament on Tuesday.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

He was speaking just before the deal - known as Privacy Shield - was officially announced by justice commissioner Vera Jourova.

Jourova said the deal brought to a close "more than two and a half years of work since the Commission first raised concerns about the old Safe Harbour arrangement and whether it was really safe enough to protect the fundamental rights of Europeans".

Member states gave it the go-ahead last Friday.

The European Court of Justice (ECJ) outlawed Safe Harbour, the previous framework, in October 2015, acting on a case brought by Schrems.

The court ruled that personal data could only be sent to third countries that ensured protection of privace that was ”essentially equivalent” to EU level.

The situation forced business to rely on more complicated rules for legally transferring data to the US, causing stumbling blocks for digital business. Transatlantic data flows are estimated at €230 billion a year.

EU and US authorities have scrambled to replace the deal.

'Fundamentally different' deal

Jourova insisted that Privacy Shield was “fundamentally different” from Safe Harbour.

She said it included stronger data protection, redress mechanisms and US assurances that access to personal data for law enforcement or national security purposes would be limited to what is necessary and proportionate.

”Since releasing the first draft in February, we have been able to make it even better and clearer by taking on board the recommendations of Europe’s independent data protection authorities, as well as the resolution of the European Parliament,” she said.

MEPs, national data protection authorities represented by the Article 29 Working Party, European Ombudsman Emily O’Reilly and the European Data Protection Supervisor Giovanni Buttarelli had voiced concerns about Privacy Shield as the proposal was worked out this spring.

EU data protection authorities said they were analysing the framework and would finalise a position by July 25.

Schrems said the deal had not addressed the ECJ's concerns and was full of loopholes.

US authorities could still access EU citizens' data on very thin grounds, he said.

"The US merely promised that bulk collection of data would only happen when specific targeted collection is not possible," Schrems said. "US authorities have the right to use chosen parts of the data, just not the whole data set."

While ECJ had insisted on better access to justice, the new deal had limited redress mechanisms to a toothless ombudsman, Schrems argued.

It was furthermore clear that US didn't offer a level of protection ”essentially equivalent” to that of the EU.

The ECJ had worried that the US allowed for mass surveillance, and the situation had not changed, Schrems argued. And there was nothing the EU could do about it.

"The political dilemma of the commission is that the US Congress isn't willing to deliver," he said.

He had raised his case after exchange studies in Silicon Valley. A representative of a US tech firm, visiting the class room, had bragged that EU authorities were turning a blind eye to US privacy standards.

On his return to Europe, Schrems crowdfunded a campaign that brought Facebook to court for privacy violation.

Schrems said he was sure that Privacy Shield would not survive a legal challenge. But he hoped he would not have to be the one to launch the case.

”That’s the job of data protection authorities, not of students,” he said.

US pressure

Schrems said he had met Jourova and was sure she understood the problems. But he said that pressure put on the commission by member states and the US made her pass over ECJ concerns.

It would take some years before legal action had run its course and Privacy Shield was invalidated.

But it was possible that the framework would not work anyway. The legal uncertainty would make it risky for business to use the framework, Schrems argued.

"I actually don't expect many companies to sign up to the deal," he added.

Microsoft and Google have, however, already indicated they would be interested in Privacy Shield. Facebook has not yet commented.

MEPs of the Committee on Civil Liberties, Justice and Home Affairs (LIBE) have already criticised the deal, and will adopt a resolution in September.

Although their resolutions are non-binding, it is likely to heap more pressure on the commission to rethink the deal.

EU and US agree data 'Privacy Shield'

A new transatlantic agreement replaces the Safe Harbour deal with what the Commission says are increased guarantees for the protection of Europeans' personal data.

News in Brief

  1. Ireland first EU state to re-impose full lockdown
  2. EU countries agree farm policy reform
  3. EU corona-bonds attracted huge demand
  4. France seeks Putin's help on counter-terrorism
  5. Cyber attacks 'targeted health system during pandemic'
  6. Greece asks EU countries to halt military exports to Turkey
  7. Covid-19: Spain considers curfews in hardest-hit areas
  8. Study: Air pollution costs Europeans €1,276 per year

Are EU data watchdogs staffed for GDPR?

The success of the new general data protection regulation (GDPR) will depend on whether data protection authorities enforce the new rules - which, in turn, will be at least partly determined by how many people they employ.

Eight countries to miss EU data protection deadline

The EU starts enforcing its general data protection regulation on 25 May - but Belgium, Bulgaria, Cyprus, Czech Republic, Greece, Hungary, Lithuania and Slovenia won't be ready. The delay will cause legal uncertainty.

Stakeholders' Highlights

  1. UNESDAMaking healthier diets the easy choice
  2. Nordic Council of MinistersUN Secretary General to meet with Nordic Council on COVID-19
  3. UNESDAWell-designed Deposit Return Schemes can help reach Single-Use Plastics Directive targets
  4. Nordic Council of MinistersNordic Council meets Belarusian opposition leader Svetlana Tichanovskaja
  5. Nordic Council of MinistersNordic Region to invest DKK 250 million in green digitalised business sector
  6. UNESDAReducing packaging waste – a huge opportunity for circularity

Latest News

  1. 'Big majority' of citizens want EU funds linked to rule of law
  2. EU declares war on Malta and Cyprus passport sales
  3. EU Commission's Libya stance undercut by internal report
  4. Backroom deal will make CAP reform a catastrophic failure
  5. EU money used by neo-Nazi to promote Holocaust denial
  6. Over 80% of Europe's habitats in poor or bad condition
  7. EU's Brexit move could end deadlock in talks
  8. EU's migrants more at risk from coronavirus

Join EUobserver

Support quality EU news

Join us