Privacy Shield: a safe harbour for EU data?

Transatlantic data protection package is still just a proposed framework, not a done deal

Hooray! Transatlantic transfers of digital data are once again safe to continue, thanks to a new deal between the EU and US called EU-US Privacy Shield. This will replace the old Safe Harbour principles overturned by the European Court of Justice.

At least, that’s what you’d think, given the immediate response of technology company lobbies and professional organisations, the American Chamber of Commerce, even our own Government.

But – ahem – there's still no "deal", as European Green MEP and privacy advocate Jan Philipp Albrecht was quick to note on Twitter.

You had to be listening pretty carefully to the briefing, which danced adeptly around this key point. But Privacy Shield is still just a proposed framework for guaranteeing that European data is given the same protections when transferred to the US, as they would be given in the EU.


It's not a done deal. It hasn't even been formally drafted yet. As it stands, it is a set of verbal agreements and some "written assurances" that the US will not subject EU data to mass surveillance, and offers some redress for EU citizens who bring complaints, à la Max Schrems (his case, regarding the Irish Data Protection Commissioner's handling of his complaint about his Facebook data, prompted the ECJ decision).

Really, Privacy Shield is more Privacy Figleaf, hastily bestowed to cover up the failure to produce an actual, written agreement in time to meet a January 31st deadline imposed three months ago, post-Schrems decision, by the Article 29 working group of European data protection authorities.

If no agreement were reached, the Article 29 Group said national data protection authorities could individually begin to take action against companies, immediately halting data transfers.

Those were massive stakes. A moratorium on Safe Harbour transfers would freeze such activity for most small to medium companies, and pose headaches even for the huge multinationals that have EU-based data centres, and which have scrambled to put in place systems to allow data to be processed in Europe.

Diminishing tolerance

Facing that calamity (and an indication that many data protection authorities, like the ECJ, have diminishing tolerance for the Commission’s habit of promising a result soon but constantly asking for more time), it seems the Commission and US negotiators opted for announcing something, kind of, to the European Parliament.

They did this late on February 1st – a day after the deadline – and in somewhat more detail the following day.

The details, such as they are, do not seem adequate to meet the ECJ’s concerns (although Vera Jourová, EU Commissioner for Justice, Consumers and Gender Equality, said that the proposed agreement was negotiated around those concerns).

Certainly, Privacy Shield has elements that are an improvement on the laughably flimsy Safe Harbour, which only required self-certification by companies via a process of ticking boxes on an online form.

These include some proposed checks and balances that, it is claimed, would limit access to data and prevent it being included in any form of US state surveillance. An independent ombudsman to the State Department would handle complaints from EU citizens.

Companies will be subject to a “supervision mechanism” and can be removed from the list of compliant companies. Privacy Shield itself would be reviewed annually.

Secretive and opaque

But given that US security laws still prioritise security over transparency and privacy, offer little redress to US citizens and still can be used to legitimise secret surveillance – and given that congressional oversight of US security agencies is itself secretive and opaque – how can the proffered “written binding assurances” possibly be adequate to guarantee EU data is protected?

How can EU data – already sloppily mingling with data of other origins in many corporate databases, as we know from past data breaches – be filtered out now, and guaranteed exempt from surveillance?

Many legal and privacy experts believe only changes to US security legislation could provide the legal assurances the ECJ mandated in the Schrems decision.

The proposed agreement no doubt represents much hard work. It is evidence of the challenging struggle to find a solution by two parties with totally different views of privacy: a fundamental right in the EU, but lacking the authority of Constitutional protection in the US.

But Privacy Shield is also a frantic effort to offer whatever was on the table, though not yet fully conceptualised or formalised, as a “deal” as the deadline descended, in an attempt to buy more talk time.

Unfortunately, while Privacy Shield is a start, it’s hardly a proposal that meets EU demands. And, given its central importance for transatlantic commerce, it is, frankly, an insult that “assurances” from the US were deemed adequate in the wake of disclosures of sweeping NSA surveillance programmes.

The question now is whether one of the national data protection authorities will decide to act on the basis that there is actually no agreement. And, what the ECJ will say when faced with the inevitable challenge that will come to Privacy Shield down the line.