Explainer: European data watchdog rejects EU / US Privacy Shield, here's why

This pact was proposed as a replacement for Safe Harbor

The European Data Protection Supervisor has rejected the data transfer pact between the EU and US, saying it needs "significant improvements". The EU - US Privacy Shield was designed to replace Safe Harbor, which was scrapped last year after the EU Court of Justice ruled it to be invalid. 

Safe Harbor was initially put in place in 2000 and was designed to provide a "streamlined and cost effective" way for US firms to get data from Europe, without breaking EU rules. This meant that data generated by users in the EU on sites such as Google, Facebook and iTunes was transported to the US for processing. 

Safe Harbor allowed US companies to self-certify that they were taking the necessary steps to ensure data protection as the EU forbids the transfer and processing of data to parts of the world which do not provide adequate privacy protections. 

This went under scrutiny back in 2013 after Edward Snowden revealed details about a NSA surveillance scheme called Prism. It was alleged that the NSA had gained access to information about Europeans, which was stored by the US tech giants.

Max Schrems, a privacy campaigner, asked the Irish Data Protection Commission to audit what material Facebook was passing across to the US. The body declined Mr. Schrems request, stating that the transfers were covered by Safe Harbor. 

Mr. Schrems appealed that decision and the case was moved onto the European Court of Justice and it was ruled that Safe Habor was inadequate. 

Privacy Shield

In February of this year, both the EU and US agreed to a new pact, which would make it easy for organisations to send data across the Atlantic. This was called the EU / US Privacy shield. The key points of this pact were are as follows:

  • The US would create an ombudsman to handle complaints and accusations from EU citizens about American's spying on their data
  • US Office of the Director of National Intelligence will give written commitments that European citizen's data will not be subject to mass surveillance
  • The EU and US will conduct annual reviews to ensure the system is working correctly

This pact, however, has been criticised by European privacy watchdogs.

Giovanni Buttarelli, European Data Protection Supervisor, has warned that the Privacy Shield is "not robust enough". In a statement Mr Buttarelli has said

"I appreciate the efforts made to develop a solution to replace Safe Harbor, but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny".

While this does not mean the pact will be scrapped, it will no doubt cause for further talks about future-proofing the agreement.