This week, technology firms across Europe breathed a heavy sigh of relief as Brussels and Washington reached a deal in the eleventh-hour on transatlantic data transfer and privacy rules to replace the defunct ‘Safe Harbour’ agreement, which was ruled illegal in October 2015.
The new Privacy Shield pact, also known as ‘Safer Harbour’, will see the US give an annual written commitment that it will not conduct mass or indiscriminate surveillance of EU citizens, which will then be audited by both sides once a year.
But what went wrong? And why is it so important?
To answer that, we need to go back to the case of whistleblower, Edward Snowden, who in 2013 leaked thousands of classified documents revealing details about the global surveillance programme.
Perhaps the most infamous of these was the PRISM programme, which collected data from around the world including emails, video, audio, photographs, documents and other related materials in collaboration with at least nine companies – Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, Youtube and Apple.
This then brought the Safe Harbour agreement into question. EU privacy law forbids its citizens’ personal data from being sent outside of the union to locations without “adaquate” privacy protections, so the deal saw the US promise to abide by these standards. However, in order to avoid drawn-out procedures delaying transfers, the deal also allowed companies to self-certify their data practices.
Last year, a concerned Austrian law student called Max Schrems took Facebook to court in Ireland after filing a privacy complaint that effectively challenged the safeguards Safe Harbour had in place – he won. The old deal was scrapped and watchdogs were given three months to ‘put their house in order’.
This left some 4,000 companies in limbo and half a trillion dollars of trade at stake. Apart from the tech giants, who hold all user data at their US headquarters, there were many small businesses that had relied on the agreement to outsource their human resources, payroll and other tasks involving personal data about customers or staff.
So it’s no surprise that many organisations were quick to celebrate and get back to business as usual.
However, not everyone is pleased. Schrems, along with privacy agencies across the continent, have since pointed out that the that the US has not changed its surveillance techniques to be compliant with European law – something that leaves plenty of scope for Privacy Shield to being ruled invalid, just like its predecessor. Meanwhile, the European’s Data Protection Authorities have warned businesses to hold fire on signing up until April while they analyse the legality of the agreement.
My main question, however, is whether the EU would ever dare enforce the law again. Besides the turmoil and angst caused by the first ruling, there’s no denying the benefits multinationals like Amazon and Google bring to an economy, so would they ever risk the potential backlash? Think about the issues surrounding tax avoidance – where’s the real action there?
To me, it feels like we’ve reached an impasse – the US wants to snoop, the EU doesn’t like it, but neither want to lose what the other has. So instead they crack open the champagne and watch a leaky ship slowly sinking in a shark-infested harbour, because what else can they do?