It has been a major topic for months – shortly after the expiry of the set amnesty period, the USA and EU agreed on a follow-up agreement to "Safe Harbor". The objective is to define binding regulations for the exchange of data between Europe and the USA and to limit access to user data from Europe in the USA. At the end of 2015, the European Court of Justice overturned the original agreement after it had been in force for more than 15 years on the grounds of concerns relating to data protection laws. This decision left several thousand companies which regularly transfer personal data from Europe to the USA and store and process it there unsure of their legal situation and also means that they run the risk of hefty financial penalties under EU law.
However, doubts began to arise across the board shortly after initial information was released as to whether the new "EU-US Privacy Shield" agreement will be able to keep the promises made by its name, in other words protecting European user data from being accessed by US authorities and secret services in a manner that is not monitored or legally approved. The points mentioned thus far:
- US authorities will be able to access data belonging to European users if national security interests are at stake. However, this will be subject to "clear limitations, safeguards and oversight mechanisms". It is questionable whether an agreement of this kind will hold up in the European Court of Justice if the specific oversight mechanisms referred to here are not clarified.
- Compliance with the agreement will be monitored and sanctioned by the US Department of Commerce, while the EU Commission and data protection authorities in the Member States will only be involved in joint annual reporting.
- The USA will appoint an ombudsman who is independent of the US secret services to handle complaints. However, their legal jurisdiction has not yet been defined in more detail.
- A look at the draft of the Judicial Redress Act demonstrates that: The rights of non-US citizens to seek access to and correct personal data which is being processed and used in the USA are complicated and limited in practice. Non-US citizens first of all have to proceed through administrative channels. They are only entitled to sue if this approach conclusively fails them. However, even this is only an option if the US Attorney General grants citizens of another country or economic area the rights described.
The protests are as vigorous as ever, even just after publication. The conclusion is that this agreement does not resemble a great success. It is a pity that the stakeholders were unable to agree on a regulation with the potential to gain acceptance on a significantly greater scale. This would be in the interest of data protection authorities and companies affected in Europe, as well as in the interest of Cloud providers in the US and other major IT companies. In our experience, many of these companies take Europeans' concerns relating to data protection very seriously – particularly for purely pragmatic reasons, as consumer doubts on a data protection level are simply bad for business in Europe. The legal dispute between Microsoft and the State of New York, which refused Microsoft access to customer emails stored on servers in Ireland, is a noteworthy indication of this and is supported by almost all notable IT stakeholders from the USA.
The agreement which has now been brokered between the USA and the EU still needs to be drawn up into a contract, the EU states must also approve it and the EU Parliament has to take a look at it, too. Unfortunately, it is possible to foresee at this early stage that this topic is far from resolved and that the debate on the acceptability of transatlantic data processing will continue to rage rather than abate. Safe Harbor, Privacy Shield: When will the successor be succeeded?
If you have more questions, contact us below and one of our experts will be speaking to you shortly. You can also visit our website for more information.