Not really, it still needs to be ratified by the member states of the EU (and even after that citizens in some of the states can start a referendum about it) and after that it can still be shot down by the European Court. The pact is so vague about the protection of European citizens that there's a good chance that the European Court of Justice won't accept it, as they haven't fixed all of the problems that were in the previous "safe haven" pact.
>Not really, it still needs to be ratified by the member states of the EU (and even after that citizens in some of the states can start a referendum about it)
That's not true.
Under the Data Protection Directive the Commission, acting alone, can do this.
Article 25(6):
"The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.
Member States shall take the measures necessary to comply with the Commission's decision."
>The pact is so vague about the protection of European citizens that there's a good chance that the European Court of Justice won't accept it
AFAIU the commission can indeed do it and sadly until now it can be considered the most powerful institution in EU. At the same time the commission is not a very democratic institution, because the members and the director of the commission are not elected by the European population and the acts of the commission are not underlying to much control from other institutions.
If I understood it, the situation got a bit better last years as the parliament has a bit more power now - but I don't know the mechanics.
Disclaimer: This is only my uninformed understanding as an EU citizen.
The Commission needs to be voted in by the European Parliament. They can't propose a Commission on their own (only the Council can do so which consists of the head of states or governments). However, the parliament can vote against the proposal and forced candidates out in the past.
It's actually not too different from how governments are elected in many countries.
Well the Commission can't act contrary to the law. Or, rather, if it does then the CJEU will rule those actions to be invalid if somebody was to bring judicial review proceedings.
The Schrems case stemmed from the fact the the Irish DPA refused to investigate Facebook's transatlantic data transfer because Safe Harbor was in place. Schrems challenged that decision in the Irish High Court, the HC then referred the case to the CJEU which declared the agreement to be invalid because it violated the Charter of Fundamental Rights.
>there's a good chance that the European Court of Justice won't accept it
As an EU citizen, I have suddenly become quite fond of the court institution. It seems to be the only thing in the union that seems occasionally to work as it should. Commission feels outright autocratic when it comes to down issues like this.
The council and the commission because of the council are just an extension to the national governments. They love to use the EU to push through disliked stuff like the data retention directive, so that they can blame the EU afterwards.
The parliament most of the time also acts quite sensible.
Council and Commission are textbook cases of what happens when power cannot be held accountable. They are a cesspool of murky establishment interests and rarely, if ever, act in the interests of EU citizens. Their structure is inherently tribal and ethnic-based, which should be seen as an abomination in 2016.
They are a relic of the pre-Parliament structure, when stuff got done with treaties and agreements, and should simply be dropped in favour of simple Parliamentary rule. The problem is that turkeys don't vote for Christmas, so national-government apparatchiks will never willingly renounce their power.
It's one of the many states of empasse the current EU structure finds itself stuck into, and it won't be solved by this or that state leaving.
The US will have to change its laws. There's just no way to comply with the EU's Charter of Fundamental Rights while allowing mass surveillance to be conducted by the NSA and other US government bodies.
That's painting with a fairly broad brush. A tiny minority party - UKIP - have made it their main objective. Only small factions within party in power - the Conservatives - have been vocally in favour of leaving the EU.
There's pockets of the people who seem to want to leave the EU, but I suspect that's more driven by xenophobia/racism than privacy legislation.
> that's more driven by xenophobia/racism than privacy legislation.
You're looking at it backwards: established interests that hate scrutiny (mostly on "socialist" work regulations, product quality regulations etc) are driving xenophobic sentiment to engineer an EU exit that would ensure they're firmly back in the driving seat at the national level. It's similar to the US "southern strategy" that recruited religious folks to the cause of Big Business, separating them from their working-class interests. "Divide and rule" is still one of the best strategies you can employ.
Officially mass surveillance isn't admitted by the NSA and other government bodies. They suggest they only do legal surveillance that has to be approved by the fisa court. Of course everything that I just said is pure bs.
Maybe I'm not understanding this right but it seems like the EU has decided to trust US government agencies to provide adequate oversight/policing of European's data usage in the US with only very minimal EU involvement. Impossible for us to know exactly but that's how it comes across to me in the article. Seems like it would make more sense for the EU to police this exclusively or to have their own ombudsman rather than relying on the US one to be impartial.
The US is treating this as a political negotiation rather than a legal impasse. The European Commission doesn't want to be seen as being obstructionist when it comes to trade.
There is zero chance this would stand up if it was taken to the European Court of Justice, they'd laugh it out of the room just like they did with Safe Harbor.
American companies don't do that for US citizens, or pretend to comply but don't do so really. Seriously, Americans don't trust their own government or any corporation with with any data. And they have very good reasons to do so, because those corporations and the US government will use that data for anything whatsoever that they feel is protecting whatever laws they have come up with and instituted. Whether that's for actual criminal activities, protecting intellectual property, or even protecting American corporate or economic interests. American corporations will use that data to sell people more stuff and build as detailed of a profile on them as possible. How a third party does so is beyond insanity to me. It's not reasonable at all. Period.
I believe the implication is, "Americans don't trust their own government or any corporation to abide by their publicly stated policies on how and when data is collected and used."
> Strong obligations on companies handling Europeans' personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission.
This one reads like a big fat nothing. So it's the FTC who will be monitoring if the US companies treat EU citizens' privacy well? Yeah, what could possibly go wrong? It's not like the FTC hasn't already been virtually impotent in punishing privacy violations from US with small fines and "20 year privacy monitoring", which is about the same as credit rating agencies giving big banks AAA ratings in 2008.
EDIT: Oh wait, it's actually the Department of Commerce - only the most corporate-friendly agency in the U.S - the one that will be doing the monitoring. Lovely.
So it looks like this needs (from EU perspective) another round of lawsuits to get this overthrown again - since the oversight by the US DoC is laughable.
Basically the problem with Safe Harbor is Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333. The cumulative effect is that all people non US persons are legitimate targets of mass surveillance under US law.
The fix for Safe Harbor was negotiated with Department of Commerce who has no authority to talk about reforming this policy.
Options were
1. Immediately end the ability of US based digital companies to do business in Europe
2. Cave completely and have a few months of normalcy before Europe Commission kills the deal.
You have a significant misunderstanding of the mechanics of this treaty, FISA, and EO12333.
This treaty: it must be ratified by Congress in order for it to be considered accepted by the EC. Under the U.S. Constitution, this means it would carry the full force of the law. The Commerce Department wouldn't bear the weight of enforcement.
FISA §702: limits collection to targeted non-U.S. persons of foreign intelligence interest at borders (Upstream) and submission of NSLs to U.S. organizations for data on non-U.S. persons. The Privacy Shield agreement only prohibits mass surveillance.
EO12333 does not apply since that collection occurs outside of the United States, and would not be in the jurisdiction of this agreement.
> Department of Commerce who has no authority to talk about reforming this policy.
No, this agreement was made at the behest of the Senate Committee on Commerce, Science, and Transportation [1]. Since this will be ratified by the Senate, it will carry the full weight of the law.
And we've seen that US laws aren't worth the paper they're printed on when it comes to curbing the mass surveilance apparatus. Leaving the policing of their own hungry three-letter agencies to the US is a laughable proposal.
"prevent European Union regulators from restricting data transfers by companies such as Google and Amazon across the Atlantic."
The regulators wouldn't restrict data transfer - the existing Directive does. The question is not whether the Data Protection agencies can or not restrict data transfers, but whether the courts consider that this new agreement allows companies to comply with the Directive.
