Privacy Shield will not survive legal challenge, says Schrems
-
Max Schrems (left) and Jan Albrecht (right) during an earlier meeting in the European Parliament. (Photo: Martin Hanzel)
Austrian activist Max Schrems reckons the latest data-sharing deal between the EU and US unveiled on Tuesday (12 July) is vulnerable to legal challenges, and will not last long.
“The European Commission is jumping from one ice-floe to another. It knows it will sink sooner or later, but keeps jumping in the meantime," Schrems told journalists at the European Parliament on Tuesday.
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
He was speaking just before the deal - known as Privacy Shield - was officially announced by justice commissioner Vera Jourova.
Jourova said the deal brought to a close "more than two and a half years of work since the Commission first raised concerns about the old Safe Harbour arrangement and whether it was really safe enough to protect the fundamental rights of Europeans".
Member states gave it the go-ahead last Friday.
The European Court of Justice (ECJ) outlawed Safe Harbour, the previous framework, in October 2015, acting on a case brought by Schrems.
The court ruled that personal data could only be sent to third countries that ensured protection of privace that was ”essentially equivalent” to EU level.
The situation forced business to rely on more complicated rules for legally transferring data to the US, causing stumbling blocks for digital business. Transatlantic data flows are estimated at €230 billion a year.
EU and US authorities have scrambled to replace the deal.
'Fundamentally different' deal
Jourova insisted that Privacy Shield was “fundamentally different” from Safe Harbour.
She said it included stronger data protection, redress mechanisms and US assurances that access to personal data for law enforcement or national security purposes would be limited to what is necessary and proportionate.
”Since releasing the first draft in February, we have been able to make it even better and clearer by taking on board the recommendations of Europe’s independent data protection authorities, as well as the resolution of the European Parliament,” she said.
MEPs, national data protection authorities represented by the Article 29 Working Party, European Ombudsman Emily O’Reilly and the European Data Protection Supervisor Giovanni Buttarelli had voiced concerns about Privacy Shield as the proposal was worked out this spring.
EU data protection authorities said they were analysing the framework and would finalise a position by July 25.
Schrems said the deal had not addressed the ECJ's concerns and was full of loopholes.
US authorities could still access EU citizens' data on very thin grounds, he said.
"The US merely promised that bulk collection of data would only happen when specific targeted collection is not possible," Schrems said. "US authorities have the right to use chosen parts of the data, just not the whole data set."
While ECJ had insisted on better access to justice, the new deal had limited redress mechanisms to a toothless ombudsman, Schrems argued.
It was furthermore clear that US didn't offer a level of protection ”essentially equivalent” to that of the EU.
The ECJ had worried that the US allowed for mass surveillance, and the situation had not changed, Schrems argued. And there was nothing the EU could do about it.
"The political dilemma of the commission is that the US Congress isn't willing to deliver," he said.
He had raised his case after exchange studies in Silicon Valley. A representative of a US tech firm, visiting the class room, had bragged that EU authorities were turning a blind eye to US privacy standards.
On his return to Europe, Schrems crowdfunded a campaign that brought Facebook to court for privacy violation.
Schrems said he was sure that Privacy Shield would not survive a legal challenge. But he hoped he would not have to be the one to launch the case.
”That’s the job of data protection authorities, not of students,” he said.
US pressure
Schrems said he had met Jourova and was sure she understood the problems. But he said that pressure put on the commission by member states and the US made her pass over ECJ concerns.
It would take some years before legal action had run its course and Privacy Shield was invalidated.
But it was possible that the framework would not work anyway. The legal uncertainty would make it risky for business to use the framework, Schrems argued.
"I actually don't expect many companies to sign up to the deal," he added.
Microsoft and Google have, however, already indicated they would be interested in Privacy Shield. Facebook has not yet commented.
MEPs of the Committee on Civil Liberties, Justice and Home Affairs (LIBE) have already criticised the deal, and will adopt a resolution in September.
Although their resolutions are non-binding, it is likely to heap more pressure on the commission to rethink the deal.
Site Section
Related stories
- Privacy whiz Max Schrems set to challenge other big firms
- EU and US agree data 'Privacy Shield'
- US government allowed to plead in Facebook data case
- EU regulators cautiously endorse US data pact
- Skype and WhatsApp face tougher EU privacy rules
- Privacy activists mount court challenge to EU-US data pact