Key privacy activist casts doubts on new US-EU data deal

The privacy advocate who brought down a 15-year-old data transfer agreement between the U.S. and the EU is now questioning the validity of its replacement.

“I am however not sure if this system will stand the test before the Court of Justice,” Max Schrems of Austria said in a statement Tuesday. “There will be clearly people that will challenge this — depending on the final text I may well be one of them.”

{mosads}The European high court struck down the so-called Safe Harbor agreement in October, claiming that the U.S. could not be seen to adequately protect citizens’ privacy thanks to its mass surveillance practices. The ruling was the culmination of a complaint filed by Schrems against Facebook with the data protection authority in Ireland, where the company’s European headquarters is located.

On Tuesday, the Commerce Department and the European Commission announced an updated pact that they say will permit Facebook, Google and thousands of other companies to continue handling Europeans’ personal data.

The so-called Privacy Shield offers a variety of redress mechanisms for European citizens who feel their data has been mishandled by U.S. firms, as well as creating an ombudsman to address complaints of possible access by national intelligence authorities.

In announcing the deal, officials insisted that the U.S. had provided “detailed written assurances” that surveillance of Europeans’ data by intelligence agencies would be subject to appropriate limitations.

But critics have long warned that the replacement deal — a written commitment made at the cabinet level, but not a formal treaty — could be struck down as summarily as the old Safe Harbor.

Many say unless the U.S. undertakes a systemic overhaul of its privacy laws, there is no legal framework that can satisfactorily protect the personal data of European citizens — for whom privacy is a fundamental right under the EU Charter.

“With all due respect, but a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit U.S. law allowing mass surveillance,” Schrems said Tuesday.

Individual citizens as well as EU member states’ various data protection authorities are expected to challenge the new agreement in court if it doesn’t meet the requirements of the October ruling.

Indeed, Schrems himself already has several other cases pending in Germany, Ireland and Belgium.

Schrems conceded, however, that it is still too early to make any determinations on the legality of the new arrangement. Complete details have not yet been made public, and it must still be approved by the EU’s 28 member states. 

“We don’t know the exact legal structure yet, but this could amount to obviously disregarding the Court’s judgement,” Schrems said.