EU And US Come To 'Agreement' On Safe Harbor, But If It Doesn't Stop Mass Surveillance, It Won't Fly

Back in October, we noted that it was a really big deal that the European Court of Justice had said that the EU/US Safe Harbor framework violated data protection rules, because it had become clear that the NSA was scooping up lots of the data. The issue, if you're not aware of it, is that under the safe harbor framework, US internet companies could have European customers and users, with their information and data stored on US servers. Without the safe harbor framework, there are at least some cases where many companies would be forced to set up separate data centers in Europe, and make sure European information is kept there. Many privacy activists are actually supportive of keeping the data in Europe altogether, but I still think that would be a disaster for lots of internet companies and services -- especially smaller ones. The big guys -- Google, Facebook, Microsoft, Yahoo, Twitter, etc. -- can afford to have separate European data centers. A small company -- like Techdirt -- cannot. Requiring separate data centers and careful separation of the data would ensure less competition and fewer startups to take on the big guys. That's a problem. Beyond that, having those separate data centers could actually lead to even less privacy in the long run, because having many jurisdictions in which data is kept means that, inevitably, some of those jurisdictions will fall into states that have even worse surveillance and fewer data protections -- and also leaves open the opportunity for different data center setups, which may lead to more vulnerabilities. Remember, when the NSA broke into Google and Yahoo's datacenters, they were the ones outside the US, which may have had weaker security. And, despite many Europeans not wishing to believe this, many European countries have many fewer restrictions on the kind of surveillance their intelligence agencies are able to do on local data and citizens. The real issue here is mass surveillance overall. The only real way to fix this issue is to stop mass surveillance and go back to saying that intelligence agencies and law enforcement need to go back to doing targeted surveillance using warrants and true oversight. But, instead, the EU and the US keep trying to paper over this by coming up with a new agreement. That agreement was supposed to have been concluded by a fake "deadline" set for yesterday, but after missing that and claiming that progress had been made on a new agreement, a new deal was finally announced a few hours ago, with the ridiculous name "The EU-US Privacy Shield." Here's the key part of the announcement:

• Strong obligations on companies handling Europeans' personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.

• Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.

• Effective protection of EU citizens' rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For compl