Privacy Shield will not survive legal challenge, says Schrems
Austrian activist Max Schrems reckons the latest data-sharing deal between the EU and US unveiled on Tuesday (12 July) is vulnerable to legal challenges, and will not last long.
“The European Commission is jumping from one ice-floe to another. It knows it will sink sooner or later, but keeps jumping in the meantime," Schrems told journalists at the European Parliament on Tuesday.
Dear EUobserver reader
Subscribe now for unrestricted access to EUobserver.
Sign up for 30 days' free trial, no obligation. Full subscription only 15 € / month or 150 € / year.
- Unlimited access on desktop and mobile
- All premium articles, analysis, commentary and investigations
- EUobserver archives
EUobserver is the only independent news media covering EU affairs in Brussels and all 28 member states.
♡ We value your support.
If you already have an account click here to login.
He was speaking just before the deal - known as Privacy Shield - was officially announced by justice commissioner Vera Jourova.
Jourova said the deal brought to a close "more than two and a half years of work since the Commission first raised concerns about the old Safe Harbour arrangement and whether it was really safe enough to protect the fundamental rights of Europeans".
Member states gave it the go-ahead last Friday.
The European Court of Justice (ECJ) outlawed Safe Harbour, the previous framework, in October 2015, acting on a case brought by Schrems.
The court ruled that personal data could only be sent to third countries that ensured protection of privace that was ”essentially equivalent” to EU level.
The situation forced business to rely on more complicated rules for legally transferring data to the US, causing stumbling blocks for digital business. Transatlantic data flows are estimated at €230 billion a year.
EU and US authorities have scrambled to replace the deal.
'Fundamentally different' deal
Jourova insisted that Privacy Shield was “fundamentally different” from Safe Harbour.
She said it included stronger data protection, redress mechanisms and US assurances that access to personal data for law enforcement or national security purposes would be limited to what is necessary and proportionate.
”Since releasing the first draft in February, we have been able to make it even better and clearer by taking on board the recommendations of Europe’s independent data protection authorities, as well as the resolution of the European Parliament,” she said.
MEPs, national data protection authorities represented by the Article 29 Working Party, European Ombudsman Emily O’Reilly and the European Data Protection Supervisor Giovanni Buttarelli had voiced concerns about Privacy Shield as the proposal was worked out this spring.
EU data protection authorities said they were analysing the framework and would finalise a position by July 25.
Schrems said the deal had not addressed the ECJ's concerns and was full of loopholes.
US authorities could still access EU citizens' data on very thin grounds, he said.
"The US merely promised that bulk collection of data would only happen when specific targeted collection is not possible," Schrems said. "US authorities have the right to use chosen parts of the data, just not the whole data set."
While ECJ had insisted on better access to justice, the new deal had limited redress mechanisms to a toothless ombudsman, Schrems argued.
It was furthermore clear that US didn't offer a level of protection ”essentially equivalent” to that of the EU.
The ECJ had worried that the US allowed for mass surveillance, and the situation had not changed, Schrems argued. And there was nothing the EU could do about it.
"The political dilemma of the commission is that the US Congress isn't willing to deliver," he said.
He had raised his case after exchange studies in Silicon Valley. A representative of a US tech firm, visiting the class room, had bragged that EU authorities were turning a blind eye to US privacy standards.
On his return to Europe, Schrems crowdfunded a campaign that brought Facebook to court for privacy violation.
Schrems said he was sure that Privacy Shield would not survive a legal challenge. But he hoped he would not have to be the one to launch the case.
”That’s the job of data protection authorities, not of students,” he said.
Schrems said he had met Jourova and was sure she understood the problems. But he said that pressure put on the commission by member states and the US made her pass over ECJ concerns.
It would take some years before legal action had run its course and Privacy Shield was invalidated.
But it was possible that the framework would not work anyway. The legal uncertainty would make it risky for business to use the framework, Schrems argued.
"I actually don't expect many companies to sign up to the deal," he added.
Microsoft and Google have, however, already indicated they would be interested in Privacy Shield. Facebook has not yet commented.
MEPs of the Committee on Civil Liberties, Justice and Home Affairs (LIBE) have already criticised the deal, and will adopt a resolution in September.
Although their resolutions are non-binding, it is likely to heap more pressure on the commission to rethink the deal.