On 29th January 2016, an important step forward in the EU-US negotiations on a renewed Safe Harbour Agreement was made, thanks to the approval by the US Senate of the Judicial Redress Act. The Judicial Redress Act is a piece of legislation that will allow citizens from the European Union to enforce, in US Courts, their data protection rights as well as other rights already enjoyed by American citizens under the 1974 Privacy Act.
The Judicial Redress Act was considered as an important, even necessary step for the EU and the US to finalise negotiations on the renewal of the Safe Harbour Agreement. As a reminder, the Safe Harbour Agreement had been struck down by the European Court of Justice (ECJ) on 6th October 2015 because safeguards for EU citizens’ data transferred to the US had been found to be inadequate. The case had initially been brought to the Irish Data Protection Authority by the Austrian citizen and then law student Maximilian Schrems, following the discovery that data he had provided had been transferred by Facebook’s Irish subsidiary to servers located in the US.
On 2nd February 2016, only a few days after the Judicial Redress Act’s approval in the US Senate, EU and US negotiators were able to achieve an agreement on a new Safe Harbour, which has been rebranded and renamed “EU-US Privacy Shield.”
The EU-US Privacy Shield foresees a series of measures granting that EU citizens’ complaints about data transfers will be sufficiently investigated by the US and that European data will be protected from mass surveillance. On the first point, the US will introduce an Ombudsman within the State Department, whose role will be to oversee complaints from Europe, leverage independence and exercise oversight over the intelligence community. As for the second point, the protection of EU citizens’ data from mass surveillance, a series of questions is still open, concerning in particular the legal status and actual powers of the Ombudsman in relation to US intelligence services.
Other points raised by Members of the European Parliament (MEP) concern the future of the Agreement after the Presidential elections, given that assurances by the US seem to rest on political commitments rather than legal acts, and whether the new agreement meets the ECJ’s requirements. On this point, many MEPs, including Ian Philipp Albrecht (Greens/EFA, Germany), an expert in data protection matters, claim that the Privacy Shield would not pass an examination by the ECJ and would again be slammed down, with serious consequences for the Commission.
Following the announcement of the agreement, only Axel Voss (EPP, Germany), shadow Rapporteur on the Data Protection Reform, seemed to welcome the results of the negotiations, saying that the new arrangement “is of paramount importance for our digital economy. It gives a clear and reasonable legal framework for the transatlantic transfer of data.”
MEPs from other groups expressed concern. For example, Birgit Sippel (S&D, Germany) declared that “the agreement presented does not appear to rectify the problems with the previous system,” while Sophie in ‘t Veld (ALDE, Netherlands) argued that “it seems highly implausible that an Ombudsman will have sufficient powers to oversee US intelligence services.” Cornelia Ernst (GUE/NGL, Germany) said she was “even more frustrated by the Commission’s naivety when dealing with the US.” Indeed, it is important to note that an exception for national security was included in the agreement. Vera Jourová, Commissioner for Justice, Consumers and Gender Equality, and Andrus Ansip, Commission’s Vice-President in charge of the Digital Single Market, have now been tasked by the College of Commissioners with the preparation of an adequacy decision. This, according to Ms Jourová, should take roughly three months, after which the arrangement, if approved by Member States, will come into effect.