The man who orchestrated the downfall of a now defunct data-sharing pact between the U.S. and the European Union isn’t impressed with the text of the new one.
“They tried to put ten layers of lipstick on a pig, but I doubt the court and the [data protection authorities] now suddenly want to cuddle with it,” Max Schrems said of the new international data-sharing deal, dubbed Privacy Shield.
Schrems is an Austrian privacy activist who mounted a legal challenge against the previous data-sharing pact because he was concerned about how Facebook handles personal data in Ireland.
American and European officials released the details of a massive data-transfer pact on Monday. The deal came four months after the European Court of Justice struck down a 15-year-old agreement that previously allowed American companies to send EU citizens’ personal information across the Atlantic.
Officials from both the U.S. and EU are heralding the agreement for what they say are robust privacy checks and protections. Schrems isn’t convinced. While certain improvements are there, he said “none” of them address the biggest problems that led to the initial legal issues — American surveillance and insufficient privacy protections in U.S. law.
Some of the changes from the previous pact include robust annual reviews of the new deal, new arbitration avenues for EU citizens to lodge complaints if they believe companies have mishandled their online data, and assurance from American intelligence officials that the government no longer uses such data for mass surveillance.
Lead negotiators on both sides are hyping the new deal, in part, because it would save thousands of businesses from a catastrophic scenario if they were suddenly unable to send any data from European servers to the United States.
“Protecting personal data is my priority both inside the EU and internationally,” Věra Jourová, the EU Commissioner for Justice, Consumers and Gender Equality said in a statement Monday. She added that Privacy Shield “is a strong new framework, based on robust enforcement and monitoring.”
Schrems remains unconvinced and called the agreement an “unstable situation,” even though he said officials might “try to cover this in a PR exercise.”
Schrems sued Facebook in Ireland (the company’s European headquarters) because he feared U.S. surveillance activities undermined the security of his information when it was sent overseas. He wanted to raise awareness in Europe following the revelations of Edward Snowden about the bulk data collection program at the National Security Agency. His point was that Europe could no longer trust the United States as a responsible handler of personal information.
After the revelations about the NSA’s activities, Schrems’ complaint said, it became clear that U.S. law and practice did not provide sufficient protection against surveillance. The European Court of Justice sided with Schrems and invalidated the old agreement because it appeared that in America’s eyes, national security and law enforcement trumped its international privacy obligations. The court didn’t see the protection of EU citizens’ information as a high priority for the U.S. government.
The question now is whether the new deal addresses that fundamental question from the Schrems case: What about surveillance?
The European Commission has been told by American officials that “there is no indiscriminate or mass surveillance by national security authorities.”
Schrems says that statement contradicts guidelines in a recent letter by Robert Litt, general counsel at the Office of the Director of National Intelligence to the U.S. Department of Commerce and the International Trade Administration. The letter clarifies when and how bulk surveillance will be conducted. In particular, it explains the effects of a 2014 policy directive from President Obama about intelligence-gathering activities.
According to Litt, the directive says “intelligence collected in bulk can only be used for six specific purposes: detecting and countering certain activities of foreign powers, counterterrorism, counter-proliferation, cybersecurity, detecting and countering threats to U.S. or allied armed forces, and combating transnational criminal threats.”
Here’s Schrems’ view: “Basically, the U.S. openly confirms that it violates EU fundamental rights in at least six cases. … This charade is not only bluntly in conflict with the law and the [European] Court judgment but also with the documents the Commission presented.”
Personal privacy, especially in the digital age, is massively important to Europeans. This is apparent in the Charter of Fundamental Rights of the European Union, which devotes a few articles to specifically underline the right to communicate privately.
“Everyone has the right to the protection of personal data concerning him or her,” the charter states. It adds that any data collected must either be done by consent or “some other legitimate basis laid down by law.”
The charter, which acts as the EU equivalent to the American Bill of Rights, makes it clear that a person’s expectation of privacy is recorded in law in both the real and digital worlds.
The new deal still has to be approved by EU member states in a process that some say could take months. Schrems suggested the deal would be headed for another major legal challenge at the European Court of Justice. “There will be a number of people that will challenge this decision if it ever comes out this way, and I very well may be one of them,” he said.
