The United States and the European Union have finally aired the details of their new post-Safe Harbor spying arrangements – which are designed to alleviate fears about the extent of America’s power over European data.
Although not officially part of the deal, perhaps the most significant development here is that for the first time, European citizens should be able to take the US government to court for data breaches following last week’s signing of the Judicial Redress Act.
It’s something the EU has been pushing for in order to bring its citizens’ protection against US companies in line with those given to American consumers dealing with businesses in Europe.
45-day company complaint period
The Privacy Shield agreement has outlined a new 45-day response period for complaints made to companies accused of mishandling your records.
90-day complaint period to local authorities
Consumers will also have the option to complain to their local Data Protection Authority and get a response from the relevant US body (either the US Department of Commerce or the Federal Trade Commission) within 90 days.
Alternative Dispute Resolution tool
Sanctions for non-compliant companies
Companies are expected to self-certify with Privacy Shield each year to say that they meet the privacy requirements outlined in the new agreement, with “sanctions or exclusion if they do not comply.”
Oversight by US government
The US Department of Commerce has been elected to monitor and verify companies, even if they aren’t currently signed up to the agreement.
In areas where the person believes they have been spied on unlawfully by US government authorities, they will be able to appeal to a new independent ombudsperson.
On mass spying, the European Commission says:
For the first time, the US has given the EU written assurance, to be published in the federal register, that the access of public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. The US assures there is no indiscriminate or mass surveillance on the personal data transferred to the US under the new arrangement.
“Targeted” spying will be limited to: detect and counter threats from espionage, terrorism, weapons of mass destruction, threats to the armed forces, or transnational criminal threats.
Joint annual review
There will also be an annual joint review between the European Commission and the US Department of Commerce to ensure the new rules are being used in the right way.
These changes do appear to offer more oversight than the self-regulation in the previous Safe Harbor agreement.
But it’s really not yet clear how these mechanisms will work in practice, why so many complaints procedures have been outlined when surely one good one would do and whether companies will be jumping over each other to sign up.