Thursday

9th Apr 2020

Privacy Shield will not survive legal challenge, says Schrems

  • Max Schrems (left) and Jan Albrecht (right) during an earlier meeting in the European Parliament. (Photo: Martin Hanzel)

Austrian activist Max Schrems reckons the latest data-sharing deal between the EU and US unveiled on Tuesday (12 July) is vulnerable to legal challenges, and will not last long.

“The European Commission is jumping from one ice-floe to another. It knows it will sink sooner or later, but keeps jumping in the meantime," Schrems told journalists at the European Parliament on Tuesday.

Read and decide

Join EUobserver today

Support quality EU news

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

He was speaking just before the deal - known as Privacy Shield - was officially announced by justice commissioner Vera Jourova.

Jourova said the deal brought to a close "more than two and a half years of work since the Commission first raised concerns about the old Safe Harbour arrangement and whether it was really safe enough to protect the fundamental rights of Europeans".

Member states gave it the go-ahead last Friday.

The European Court of Justice (ECJ) outlawed Safe Harbour, the previous framework, in October 2015, acting on a case brought by Schrems.

The court ruled that personal data could only be sent to third countries that ensured protection of privace that was ”essentially equivalent” to EU level.

The situation forced business to rely on more complicated rules for legally transferring data to the US, causing stumbling blocks for digital business. Transatlantic data flows are estimated at €230 billion a year.

EU and US authorities have scrambled to replace the deal.

'Fundamentally different' deal

Jourova insisted that Privacy Shield was “fundamentally different” from Safe Harbour.

She said it included stronger data protection, redress mechanisms and US assurances that access to personal data for law enforcement or national security purposes would be limited to what is necessary and proportionate.

”Since releasing the first draft in February, we have been able to make it even better and clearer by taking on board the recommendations of Europe’s independent data protection authorities, as well as the resolution of the European Parliament,” she said.

MEPs, national data protection authorities represented by the Article 29 Working Party, European Ombudsman Emily O’Reilly and the European Data Protection Supervisor Giovanni Buttarelli had voiced concerns about Privacy Shield as the proposal was worked out this spring.

EU data protection authorities said they were analysing the framework and would finalise a position by July 25.

Schrems said the deal had not addressed the ECJ's concerns and was full of loopholes.

US authorities could still access EU citizens' data on very thin grounds, he said.

"The US merely promised that bulk collection of data would only happen when specific targeted collection is not possible," Schrems said. "US authorities have the right to use chosen parts of the data, just not the whole data set."

While ECJ had insisted on better access to justice, the new deal had limited redress mechanisms to a toothless ombudsman, Schrems argued.

It was furthermore clear that US didn't offer a level of protection ”essentially equivalent” to that of the EU.

The ECJ had worried that the US allowed for mass surveillance, and the situation had not changed, Schrems argued. And there was nothing the EU could do about it.

"The political dilemma of the commission is that the US Congress isn't willing to deliver," he said.

He had raised his case after exchange studies in Silicon Valley. A representative of a US tech firm, visiting the class room, had bragged that EU authorities were turning a blind eye to US privacy standards.

On his return to Europe, Schrems crowdfunded a campaign that brought Facebook to court for privacy violation.

Schrems said he was sure that Privacy Shield would not survive a legal challenge. But he hoped he would not have to be the one to launch the case.

”That’s the job of data protection authorities, not of students,” he said.

US pressure

Schrems said he had met Jourova and was sure she understood the problems. But he said that pressure put on the commission by member states and the US made her pass over ECJ concerns.

It would take some years before legal action had run its course and Privacy Shield was invalidated.

But it was possible that the framework would not work anyway. The legal uncertainty would make it risky for business to use the framework, Schrems argued.

"I actually don't expect many companies to sign up to the deal," he added.

Microsoft and Google have, however, already indicated they would be interested in Privacy Shield. Facebook has not yet commented.

MEPs of the Committee on Civil Liberties, Justice and Home Affairs (LIBE) have already criticised the deal, and will adopt a resolution in September.

Although their resolutions are non-binding, it is likely to heap more pressure on the commission to rethink the deal.

EU and US agree data 'Privacy Shield'

A new transatlantic agreement replaces the Safe Harbour deal with what the Commission says are increased guarantees for the protection of Europeans' personal data.

News in Brief

  1. IMF: Pandemic crisis will be worse than great depression
  2. German economy minister expects progress on EU deal
  3. Italian PM: EU is at risk if no deal on recovery plan
  4. Belgian region to block EU Green Deal
  5. EU commission launches green finance consultation
  6. EU parliament kitchens to cook for homeless
  7. EU sets aside €15.6bn for virus fight in Africa and beyond
  8. CO2 emissions from EU plunge 60 percent

Are EU data watchdogs staffed for GDPR?

The success of the new general data protection regulation (GDPR) will depend on whether data protection authorities enforce the new rules - which, in turn, will be at least partly determined by how many people they employ.

Eight countries to miss EU data protection deadline

The EU starts enforcing its general data protection regulation on 25 May - but Belgium, Bulgaria, Cyprus, Czech Republic, Greece, Hungary, Lithuania and Slovenia won't be ready. The delay will cause legal uncertainty.

Stakeholders' Highlights

  1. UNESDAMaking Europe’s Economy Circular – the time is now
  2. Nordic Council of MinistersScottish parliament seeks closer collaboration with the Nordic Council
  3. UNESDAFrom Linear to Circular – check out UNESDA's new blog
  4. Nordic Council of Ministers40 years of experience have proven its point: Sustainable financing actually works
  5. Nordic Council of MinistersNordic and Baltic ministers paving the way for 5G in the region
  6. Nordic Council of MinistersEarmarked paternity leave – an effective way to change norms

Latest News

  1. Why Europe must act now, and on a big scale
  2. EU court blocks Poland's bid to 'frighten' judges
  3. Coronavirus sees approval-rating soar for EU leaders
  4. EU science chief who 'quit' had been told to resign
  5. EU delays 'exit strategies' plan, as WHO urges caution
  6. EU stalemate after 16-hour meeting on economic aid
  7. The future of 'Made in China' after coronavirus?
  8. Refugees across Europe help fight the pandemic

Join EUobserver

Support quality EU news

Join us