Tuesday

21st Sep 2021

Bulk collection still allowed under EU-US data 'shield'

  • Schrems (l) says the US will continue to bulk collect data despite EU-US Privacy Shield (Photo: Martin Hanzel)

The EU Commission on Monday (29 February) released details of a US data transfer agreement said to be worth some $260 billion.

But the Brussels executive warned it would not hesitate to suspend the self-certification pact should the current or next US administration fail to adhere to the new rules under the so-called EU-US Privacy Shield.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

"We will suspend and we mean it," an EU official told reporters in Brussels.

Austrian privacy campaigner Max Schrems, whose court case against Facebook helped shape Privacy Shield, said the latest agreement contained only minor improvements.

He noted the US still had wide bulk collection data powers despite US reforms

This includes, according to the US government, "countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to US or allied armed forces; and combating transnational criminal threats, including sanctions evasion."

The EU official, for her part, says any bulk collection by the US would be an exception.

Signed letters

Letters signed by top US officials, and published in the US federal register, underpin the commitments made in Shield.

They include signatures by US secretary of state John Kerry, US secretary of commerce Penny Pritzker, and US commissioner of the federal trade commission Edith Ramirez.

"I don't expect that whoever comes next in the next US administration will easily play with that," added the official.

Privacy Shield, which still needs to be formalised before official launch, replaces an invalidated 15-year old data transfer agreement known as Safe Harbour.

The pact is supposed to ensure an "adequate" level of privacy protection whenever someone's data is transferred to the US from the EU.

The suspension threat is meant, in part, to address broader concerns that the latest deal would fall apart should it end up in the European Court of Justice in Luxembourg or should US counterparts fail to take it seriously.

The Luxembourg court last October scrapped Safe Harbour, which was riddled with loopholes and seldom enforced by the US Federal Trade Commission. Some 4,000 US firms had signed up to the pact.

The latest deal is the end result of two years of talks between EU and US negotiators following mass surveillance revelations by former National Security Agency contractor Edward Snowden.

The court ruled that any form of "access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life”.

German Green MEP Jan Phillipp Albrecht, who steered the data protection bill through the parliament, remains sceptical that Shield can deliver.

"The new 'Privacy Shield' framework appears to amount to little more than a remarketed version of the pre-existing Safe Harbour decision, offering little more than cosmetic changes," he said in a statement.

The EU official said the commission would scrap the latest pact should US companies not "live up to the obligations they have signed up to" and if complaints by EU citizens are not properly handled.

Privacy Shield extends also to alternative data transfer contracts.

The pact contains a handful of novelties, including a US ombudsperson to oversee complaints by EU citizens on national security breaches, a joint annual review of the pact, and a 45-day response delay by companies.

“That is a tight deadline if you look at the structure of multinationals and complexity of cross border cases," said Jorg Hladjk, counsel at Hunton & Williams law firm in Brussels.

US under-secretary of state Catherine Novelli will oversee the ombudsperson role and steer individual complaints through the US system.

US companies that fail to comply could be delisted from the scheme or face possible fines from the US federal trade commission.

"Most of these cases will concern cases where an individual is asking for access or notification of his data for the processing of data to not be transferred to a company outside of Privacy Shield," said a second EU official.

The EU-US data deal that isn't

The lack of any legal documents and content on the new transatlantic data transfer agreement is raising doubts about the deal struck on Tuesday.

EU defends US data pact, as Facebook court case opens

An Austrian privacy campaigner vs Facebook over the future of data transfers to the US case opened at the European Court of Justice in Luxembourg on Tuesday. The European Commission, meanwhile, says the Privacy Shield pact is working fine.

Cracks emerge in EU US data 'shield'

Issues of mass surveillance and a weak legal basis on a new data privacy deal with the US is casting doubt on its viability should it end up before the European Court of Justice in Luxembourg.

Agenda

Refugees, asylum and data protection This WEEK

Another EU summit will try to agree on the plan proposed by Turkey to take refugees in exchange for more help, while the Commission will present its proposal to overhaul the asylum system.

US firms ignoring EU court ruling on data, Schrems warns

Facebook and other big US firms have no intention of respecting the landmark ruling by the EU's highest court on data transfers to the US. The court in July dramatically scrapped Privacy Shield, citing US surveillance concerns.

Feature

Covid-hit homeless find Xmas relief at Brussels food centre

The Kamiano food distribution centre in Brussels is expecting 20 people every half hour on Christmas Day. For many, Kamiano is also more than that - a support system for those made homeless or impoverished.

Top court finds Hungary and Poland broke EU rules

EU tribunal said Hungary's legislation made it "virtually impossible" to make an asylum application. Restricting access to international protection procedure is a violation of EU rules.

Stakeholders' Highlights

  1. Nordic Council of MinistersNATO Secretary General guest at the Session of the Nordic Council
  2. Nordic Council of MinistersCan you love whoever you want in care homes?
  3. Nordic Council of MinistersNineteen demands by Nordic young people to save biodiversity
  4. Nordic Council of MinistersSustainable public procurement is an effective way to achieve global goals
  5. Nordic Council of MinistersNordic Council enters into formal relations with European Parliament
  6. Nordic Council of MinistersWomen more active in violent extremist circles than first assumed

Latest News

  1. First refugee deaths confirmed on Belarus-EU border
  2. EU kept in dark on ex-commissioner's new lobby job
  3. Fraud against EU dropped 20% last year
  4. French outrage over US security deal exposes EU frustrations
  5. Auditors slam EU Commission on green investments
  6. Youth migration 'costing West Balkans up to €5.5bn a year'
  7. Central & Eastern Europe: What Merkel did for us
  8. Netherlands against more rights for rejected asylum-seekers

Join EUobserver

Support quality EU news

Join us