Policy Observatory

While the debate over an EU-wide scheme continues, the same scheme has been operating for all flights between EU member states and the US since 2001.

This blanket mass surveillance was instigated by the US in the wake of the 9/11 terrorist attacks, but put airlines in a bind: the US Department of Homeland Security demands the information from them, but European data protection law bars the transfer of data outside the EU.

The European Commission is working with the United States on the final details of the Safe Harbour agreement which was put up for renegotiation after the exposed U.S. mass surveillance practices. Under the new deal, U.S. registered companies will face stricter rules when transferring data to third parties.

Brussels has demanded guarantees from the United States that the collection of EU citizens' data for national security purposes would be limited to what is necessary and proportionate. The new deal would allow both sides to monitor the functioning of Safe Harbour, including how the limitations on U.S. authorities' access to the data are being applied.

U.S. President Barack Obama in June signed a bill reforming a government surveillance program. He also plans to extend certain protections enjoyed by U.S. citizens to foreigners.

The EU Commission, in response to a freedom of information request, has released to EPIC the text of the EU-US data transfer agreement. US and EU officials finalized the so-called "Umbrella Agreement" in September, but had kept the final document secret. EPIC has filed multiple FOIA requests with US federal agencies and the European Commission to obtain public release of the document. The Agreement, alongside the Judicial Redress Act, is a key document in the aftermath of the European court decision striking down the Safe Harbor arrangement. Legal scholars who have reviewed the agreement have concluded it is deeply flawed. EPIC continues to pursue the public release of the Agreement from US federal agencies.

US Federal Trade Commission bureau director says EU national data protection authorities had only referred four privacy complaints over the 15 years life span of Safe Harbour.

Jessica Rich, bureau director at the US Federal Trade Commission (FTC) said European national data authorities were supposed to alert the FTC of any possible violations under the scheme but they seldom did.

In the weeks since the October 6, 2015, Court of Justice of the European Union decision that invalidated the EU-U.S. Safe Harbor framework, companies have been faced with the quandary of establishing legal alternatives for transferring personal data from Europe to the U.S.

Alternative data transfer mechanisms such as standard contractual clauses (SCCs, also called model clauses) and binding corporate rules (BCRs) were implicitly endorsed by the European Commission, but not all European countries, however, have taken this position.

On Monday, October 26, a group of German data protection authorities representing the federal government and 16 German states issued a 14-point position paper (available in German here) following the CJEU Decision.

Read about the most significant findings here.

Following the invalidation of the Safe Harbor agreement, this article offers a detailed review of consequences for Estonia, Latvia and Lithuania.