Data on your online activities – from social media to shopping – is regularly sold to American advertisers. Strong data protection standards are in place in the EU to protect your privacy, but this is not the case in the US. The EU is now negotiating a new agreement with the US called Privacy Shield to safeguard your data. MEPs debate whether this deal will offer enough protection in plenary on Wednesday 25 May. Read on for an explanation of the issues involved.
How your online data is being used
Everything you do online – from typing in search terms to page clicks and likes – is registered. Even when the information is collected in the EU, it can still be processed and sold to advertisers in the US to help them to figure out how to best market products. For example, if you search information on Barcelona, you might see adds from hotels there popping up.
The transatlantic divide on privacy
Traditionally the EU has valued protection privacy more than American authorities. Not only are your rights enshrined in article 8 of the European Charter of Fundamental rights, they are also given additional protection under the reform of data protection rules in the EU that have been adopted.
However, the different approach to privacy can pose a problem when Europeans’ data are transferred to the US as data protection standards are different. To overcome this the EU and the US negotiated an agreement to offer Europeans safeguards when their data was being transferred.
Safe Harbour and why it failed
Safe Harbour was an agreement between the EU and the US on how data on Europeans should be handled when transferred overseas. It listed a number of conditions that American companies had to meet in order to be allowed to transfer Europeans’ data to the US. They had to register voluntarily and confirm they had complied with the principles set out to protect people’s privacy. The European Commission was also required to regularly check whether US companies were really providing enough protection to Europeans’ data.
In 2013 Edward Snowden revealed that US intelligence agencies engaged in the bulk collection of communications data, sometimes working together with internet giants.
Austrian Facebook user Maximillian Schrems lodged a complaint with the data protection authority in Ireland, where the company has its EU headquarters, saying the law and practice of the US did not offer his data sufficient protection against surveillance. The Irish data protection authority rejected his complaint, citing the Safe Harbour agreement, but the Irish High Court referred the issue to the European Court of Justice. The court finally invalidated Safe Harbour on 6 October 2015, citing the extent of mass surveillance in the US and the limited judicial redress available to people in the EU regarding such government surveillance.
The need for a new data protection agreement
After the European Court of Justice invalidated Safe Harbour, the European Commission and the US had to negotiate a new agreement that addressed the court’s concerns. The aim was to prevent national data protection authorities from abruptly halting the flow of data from the EU to the US could have had grave economic consequences.
Privacy Shield and how it is being scrutinised
Privacy Shield is the name of the new agreement that the US and the European Commission negotiated to regulate transatlantic data flows, however it is not clear yet if it will effectively address the privacy concerns.
It will be up to civil servants from the member states to decide whether to approve Privacy Shield on behalf of their government, but they will have to take into consideration the opinion of the national data protection authorities.
The national data protection authorities, working together in a working party, have serious reservations about the deal, saying that the NSA hasn’t provided enough details in order to exclude massive and indiscriminate collection of personal data originating from the EU, while an US appointed ombudsman is not independent and cannot guarantee a satisfactory remedy in case of disagreement between an EU citizen and US authorities.
The agreement is also being scrutinised by the Parliament, which at any time, can request the Commission to maintain, amend or withdraw the agreement. The Council also has the possibility to do this.
The European Parliament’s civil liberties committee discussed Privacy Shield with experts in March. Several MEPs pointed out that the new arrangement was better than the previous one, however other MEPs and privacy activists participating in the hearing criticised Privacy Shield for not providing enough safeguards.
MEPs debate Privacy Shield in plenary on Wednesday 25 May and vote on a non-binding resolution the following day.
Other data sharing agreements
Parliament’s consent will be needed for the EU-US umbrella agreement dealing with privacy guarantees for data transfers in the area of law enforcement. It will complement existing agreements with the US that allow access to airline passenger information (passenger name records agreement) and bank transactions (Swift/TFTP agreement). One of the main issues is again the need for EU residents to have access to effective judicial redress in the US.