((First published in E&T Magazine.) The EU and the US have negotiated a new data protection agreement, called Privacy Shield.
It is supposedly an upgrade from Safe Harbour, which was struck down by the European Court of Justice last year because it wasn’t good enough for privacy protection. To cut to the quick: Will the new agreement protect Europe’s publics from the snooping spooks? Or is it just a dressed up version of Safe Harbour?
A cynic would say that the Europeans are just being bamboozled with words, tied up in knots by ambiguously worded legislation that is sure to be contested by lawyers and leaves no final the buck-stops-here with an accountable body in Washington, once you parse the legalese. A play for the galleries.
That, at the end of the day the intelligence agencies, shrouded in secrecy, and protected by obfuscation, will continue to do exactly as they want with the personal data siphoned en masse from European publics’ social media accounts.
Of course, some people will think that is a good thing if it “protects us from terrorists”. Others are worried about the Big Brother implications of never having being certain that your data is not being inspected. Who knows who is using it and for what purposes? American agencies, we know, are much worried about transgressing their own citizens’ rights than that of foreigners. Foreigners can’t vote, so are low in the Washington pecking order.
Privacy International, a London based NGO that concerns itself with
these things, calls Privacy Shield “full of holes and offers limited protections”. It argues that the proposed American data ombudsman who will be there to hear out European complaints is hardly independent of the executive, since he reports directly to the Secretary of State. In other words, no checks and balances here. Further, he won’t be able to do much in practice; he will just be there as a wailing wall for aggrieved Europeans.
In paragraph 4(e) of the leaked EU commission-US document it is all there in its stark glory. “The Privacy Shield Ombudsperson will neither confirm nor deny whether the individual has been the target of surveillance nor will the Privacy Shield Ombudsperson confirm the specific remedy that was applied.” In other words, we are never going to tell you if you are being spied on, nor what is being done.
The US intelligence services are also allowing themselves a huge get out clause that boils the differences between unapproved surveillance down to semantics.
The US allows itself “bulk surveillance” in situations where the target’s email or name is not known. But how this is different from the unaccepted mass surveillance is not clear, since the US authorities allow themselves the right to monitor communications from an entire target region and call it “bulk surveillance”. Of course, the office of the Director of National Intelligence uses the “Middle East” region as an example. But it could as well be Europe. The difference between mass surveillance and bulk surveillance is moot. You are not allowed to do surveillance on the whole world, but a region of several hundred million people seems okay!
All this bothers civil libertarians in London and Berlin. I don’t know much normal Europeans care, especially after the recent terrorist atrocities, from axe attacks in trains to the gruesome beheading of an aged French priest in his own church. “If I haven’t done anything wrong, I have nothing to hide” is, I guess, a common sentiment.
Still, it serves to underline the premises of the implicit contract signed between Europe and America, really after the second world war. (At least as seen by Washington.) We protect you. So the decision-making is ours, and is not to be interfered with by you.