The European Commission and the US have just come to a deal to replace Safe Harbour, which ensured a blanket allowance for EU-US data transfers before its invalidation by the European Court of Justice (ECJ). The newly-baptised Privacy Shield is supposed to set a framework for transatlantic data flows ensuring compliance with the EU Data Protection Directive. However, except for a fancy new name and a couple of nice declarations of intention, there is – at this time – no sign that it will offer better guarantees regarding EU citizens’ rights to privacy and data protection.
Do you know Max Schrems, the Austrian privacy activist that decided to fight for our rights not to have our personal data intercepted by the NSA? Thanks to his decision to file a lawsuit against Facebook for violating privacy rules, the ECJ ruled last October in his favour, invalidating the Safe Harbour agreement. It states that because Safe Harbour prevents an EU national supervisory authority from investigating a complaint, as well as does not provide a possibility for EU citizen to pursue legal remedies to access, erase, or obtain the rectification of their personal data, the agreement ultimately jeopardizes EU citizens’ right to effective judicial protection.
It should be noted that the 2013 Edward Snowden’s revelation strongly weighted in this decision, as the exposure of large-scale surveillance programmes, such as PRISM, raises numerous concerns regarding the surveillance practices of US intelligence agencies. The Schrems case is particularly important in this regard, as it is an official recognition of the crucial inadequacy of US authorities’ laws with EU legal requirements on data protection.
However, the EU Commission – despite being guardian of the EU treaties – did not seem to have understood the strong message sent by the CEUJ. After a couple of months, the deal strikes with US authorities does not present any amelioration that could eliminate Safe Harbour’s major flaws and does not address concerns about US authorities’ mass surveillance activities. A particularly striking point is at this time, it is believed that the new agreement does not require any amendment of the US laws. Keeping in mind that one of Safe Harbour’s major problems was the lack of US judicial remedies for EU citizens, it makes Privacy Shield look like nothing else than an empty shell.
Unfortunately, the lack of commitment to citizens’ rights displayed in this case is not an exception, but rather the norm. Even the US Judicial Redress Act, which could open the long-awaited possibility for EU citizens to seek legal remedies in the US, still fails to pass the Senate where senators multiply attempts to limit Europeans’ legal redress in the US. In the EU, the political pressure put on legislations such as the Directive on Passenger Name Data (the finale vote being scheduled at the end this month) shows that on this side of the pond too, there is clear lack of will when it comes to the protection of fundamental rights.
It is more than regrettable than the ECJ’s thorough considerations leading to Safe Harbour’s invalidation did not seem to impact the mindset of EU and US authorities: they could have taken this opportunity to do significant legislative improvements ensuring strong data protection standards, instead we only have witnessed hasty negotiations driven by alarmist predictions focused on preserving a status quo that is not acceptable – in Europe’s highest court’s own words.
Rebranding campaigns are widely used marketing strategies for adjusting customers’ perceptions on a product. Does it also work with legal agreements? Well, one might have some doubts, and we probably won’t have to wait long before the case bounces right back on the ECJ’s agenda.1 comment