Data exchange flowing from the EU (specifically the European Economic Area) to the US currently has no legal framework regulating it. Does it mean that any data transfer from EU to US is illegal?  In my previous post on the issue I mentioned that the old agreement regulating the data transfer had been struck down at the CJEU. National data protection authorities in the EU have taken a pragmatic step by holding back on attacking all data transfer, until a new agreement is reached to replace the old Safe Harbour Agreement.

A breakthrough in this respect came about a couple of weeks back, with the European Commission announcing that they have agreed on a new framework to protect the rights of individuals who give data to US companies that process the data in their local servers. The agreement once finalised will replace the Safe Harbour principles in order to legalise the data transfer. This new framework, called the US-EU Privacy Shield, has three sets of strong obligations: data handling, transparency, and redress mechanisms.

The first major obligation is on US companies to make and publish commitments on data protection and individual rights. These commitments hold them accountable to US Federal Trade Commission (FTC), as well as the diktats of the European Data Protection Authorities (DPAs). The second consists of restrictions on surveillance practices by US state authorities. Any kind of surveillance will now be subject to clear limitations, safeguards and oversight mechanisms, and the methods will be only those that are necessary and proportionate. Mass surveillance has been completely ruled out, and meetings to review these practices have also been planned for future follow-up. The third part of this arrangement consists of a redress mechanism. European DPAs can refer cases to the US Department of Commerce and the FTC, and the option of alternate dispute resolution is also provided.

The parties are now working towards the measures required to put the new agreement in place, specifically the US, who will try to formalise the commitments made in the agreement. The European Commission on the other hand is preparing a draft for an ‘adequacy decision’ that member states can adopt to formalise the process on the EU side. The full text of the agreement is expected to be made available in the coming weeks.

The agreement has also come under criticism from privacy experts, who claim that the agreement suffers from the same weaknesses of the Safe Harbour agreement. They argue that this agreement is a mere political compromise that does not help protect the rights and data of users. This would require amendments to the national laws in both locations. Controversial provisions in US law that continue to authorise infringements on users’ rights are still effective, like Section 702, which allows for surveillance of data relating to non-US persons to be carried out in the US. Executive Order 12333, which deals with surveillance outside of the US, has no legal oversight mechanism whatsoever. It is these laws that will need amendments in order to make surveillance subject to conditions of necessity and proportionality.

The other persistent problems which have remained include the provision for self-certification, which provides inadequate protection against ensuring enforcement of privacy standards. A recent amendment to a Bill which would provide redress mechanisms for EU users to enforce rights over their personal data, also adds to the problems which plague the possible effectiveness of the new agreement. The long term solution to this situation does not look like it will arise from a single event or set of negotiations, and we now await the release of the full text of the agreement to see where we can go from here.