US bulk collection still allowed under EU-US Privacy Shield

The EU Commission on Monday (29 February) released details of a US data transfer agreement said to be worth some $260 billion.

But the Brussels executive warned it would not hesitate to suspend the self-certification pact should the current or next US administration fail to adhere to the new rules under the so-called EU-US Privacy Shield.

"We will suspend and we mean it," an EU official told reporters in Brussels.

Austrian privacy campaigner Max Schrems, whose court case against Facebook helped shape Privacy Shield, said the latest agreement contained only minor improvements.

He noted the US still had wide bulk collection data powers despite US reforms

This includes, according to the US government, "countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to US or allied armed forces; and combating transnational criminal threats, including sanctions evasion."

The EU official, for her part, says any bulk collection by the US would be an exception.

Signed letters

Letters signed by top US officials, and published in the US federal register, underpin the commitments made in Shield.

They include signatures by US secretary of state John Kerry i, US secretary of commerce Penny Pritzker, and US commissioner of the federal trade commission Edith Ramirez.

"I don't expect that whoever comes next in the next US administration will easily play with that," added the official.

Privacy Shield, which still needs to be formalised before official launch, replaces an invalidated 15-year old data transfer agreement known as Safe Harbour.

The pact is supposed to ensure an "adequate" level of privacy protection whenever someone's data is transferred to the US from the EU.

The suspension threat is meant, in part, to address broader concerns that the latest deal would fall apart should it end up in the European Court of Justice in Luxembourg or should US counterparts fail to take it seriously.

The Luxembourg court last October scrapped Safe Harbour, which was riddled with loopholes and seldom enforced by the US Federal Trade Commission. Some 4,000 US firms had signed up to the pact.

The latest deal is the end result of two years of talks between EU and US negotiators following mass surveillance revelations by former National Security Agency contractor Edward Snowden.

The court ruled that any form of "access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life”.

German Green MEP Jan Phillipp Albrecht, who steered the data protection bill through the parliament, remains sceptical that Shield can deliver.

"The new 'Privacy Shield' framework appears to amount to little more than a remarketed version of the pre-existing Safe Harbour decision, offering little more than cosmetic changes," he said in a statement.

The EU official said the commission would scrap the latest pact should US companies not "live up to the obligations they have signed up to" and if complaints by EU citizens are not properly handled.

Privacy Shield extends also to alternative data transfer contracts.

The pact contains a handful of novelties, including a US ombudsperson to oversee complaints by EU citizens on national security breaches, a joint annual review of the pact, and a 45-day response delay by companies.

“That is a tight deadline if you look at the structure of multinationals and complexity of cross border cases," said Jorg Hladjk, counsel at Hunton & Williams law firm in Brussels.

US under-secretary of state Catherine Novelli will oversee the ombudsperson role and steer individual complaints through the US system.

US companies that fail to comply could be delisted from the scheme or face possible fines from the US federal trade commission.

"Most of these cases will concern cases where an individual is asking for access or notification of his data for the processing of data to not be transferred to a company outside of Privacy Shield," said a second EU official.