”Privacy Shield”, som ska ersätta den ogiltigförklarade Safe Harbor-överenskommelsen, möts med skepsis. ”This is rather a joke”, säger gröna EU-parlamentarikern Jan Philipp Albrecht.
Två dagar efter deadline, och en dag före EU-kommissionens sammanträde med dataskyddsmyndigheterna, stod det klart att EU och USA enats om en överenskommelse som ska ersätta Safe Harbor. Överenskommelsen beskrivs som en ”politisk handskakning” – något dokument finns ännu inte.
EU-kommissionär Vera Jourová meddelade vid tisdagens presskonferens att USA åtagit sig att se över hur upplägget fungerar en gång per år, att EU:s dataskyddsmyndigheter ska samarbeta med FTC och att USA lämnat skriftliga utfästelser om att dataöverföringar till USA inte ska bli föremål för ”indiscriminate surveillance”.
- The new arrangement lives up to requirements of the ECJ … We have achieved safeguards and transparency obligations on U.S. government obligations on government data. The US has given the EU binding assurances that access for national security and law enforcement will be subject to clear limitations, safeguards and oversight, sade Jourová.
Judicial Redress Act, som ska utsträcka USA:s Privacy Act till att gälla även européer, är inte på plats än (men verkar vara på väg). Enligt Jourová ska klagomål från EU-medborgare tillsvidare ska hanteras av en amerikansk ombudsman.
Såhär sammanfattar EU-kommissionen huvuddragen i överenskommelsen:
(1) There will be “stronger obligations on companies in the U.S. to protect the personal data of Europeans.”
(2) The EU-US Privacy Shield will provide for “stronger monitoring and enforcement” by the Department of Commerce and FTC.
(3) There will be “commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access.” The press release notes that the US has “ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement.”
(4) There will be “an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.”
(5) Europeans will have new abilities to raise complaints for redress: “Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.”
This historic agreement is a major achievement for privacy and for businesses on both sides of the Atlantic. It provides certainty that will help grow the digital economy by ensuring that thousands of European and American businesses and millions of individuals can continue to access services online, sade USA:s Secretary of Commerce Penny Pritzker.
Andra var inte fullt så optimistiska:
- If the court comes to the conclusion that the decision is unlawful, it will be taken down again. At the moment it’s very likely to happen and then this is a disaster for this Commission. It may even lead for this Commission to completely fail in this area. This is rather a joke, sade tyska EU-parlamentarikern Jan Philipp Albrecht.
Max Schrems, juristen och internetaktivisten som fick EU-domstolen att ogiltigförklara Safe Harbor-beslutet, väntar sig att även den nya överenskommelsen kommer bli föremål för prövning i EU-domstolen:
- If this case goes back to the ECJ - which it very likely will do, if there is a new safe harbour that does not meet the test of the court—then it will fail again, and nobody wants that. What we should be focussing on are all these other companies in the US that do not fall under mass surveillance laws and that actually could protect our data well if they had the right agreements and the right arrangements.
- We suspect it will only be a matter of time before safe harbor 2.0 is challenged in court, sade Yorgen Edholm, vd för molnföretaget Accelion.
- The emperor is trying on a new set of clothes. Today's announcement means that European citizens and businesses on both sides of the Atlantic face an extended period of uncertainty while waiting for this new stop-gap solution to fail, sade Executive Director Joe McNamee, direktör vid European Digital Rights.
Jourová verkar dock vara övertygad om att överenskommelsen håller:
Of course there might be new complaints and new court rulings, but I’m also pretty sure this new scheme will withstand any assessment from a legal point of view.