Privacy Shield about as useful as Captain America’s shield

Data protection and privacy agreement for EU citizens falls far short

The proposed Privacy Shield increasingly seems as likely to protect EU citizens’ digital data as Captain America’s comic book shield.

The proposed Privacy Shield increasingly seems as likely to protect EU citizens’ digital data as Captain America’s comic book shield.

 

Another week, another pummelling of the Privacy Shield, which increasingly seems as likely to protect EU citizens’ digital data as Captain America’s comic book shield.

The proposed Privacy Shield agreement on data transfers between the US and the EU received another bodyblow this week as it trundles along towards seeming annihilation – if not in the European Parliament, than at the hands of the European Court of Justice (ECJ).

As expected, on Tuesday the EU’s top data privacy official, European data protection supervisor Giovanni Buttarelli, indicated the Privacy Shield, the intended replacement for the old Safe Harbour data transfer principles, is not – yet – fully baked. His 16-page formal document notes that too many needed ingredients are still absent from the mix.

“I appreciate the efforts made to develop a solution to replace Safe Harbour, but Privacy Shield as it stands is not robust enough to withstand future legal scrutiny,” Buttarelli said in a statement.

“Significant improvements are needed … to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’time to develop a longer term solution [via] transatlantic dialogue.”

He’s outlined an extensive and detailed list of “need to do better” problems in his 16-page opinion, but Buttarelli in particular doesn’t like the lack of legislated-for US protections against bulk surveillance and secretive data collection in the vague name of national security, the lack of clarity in how protections will work, uncertainty about how appeals would function, or that the proposed US ombudsman would sit within the very department that also is home to US surveillance agencies.

“For the Privacy Shield to be effective it must provide adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights,” Buttarelli said.

His opinion is no surprise. Buttarelli had indicated in advance of his formal opinion that he believed it failed to meet the requirements of EU data protections or adequately address the concerns highlighted by the ECJ in its Schrems judgment, when it threw out Safe Harbour.

Privacy issues

Why then, was this proposed agreement (for it is not yet an agreed agreement) wheeled out last November in this raw state, as if it were nearly finished?

Did EU negotiators, or those on the US side, really believe letters of assurance from US officials would be enough to resolve concerns about secret data gathering, post-Snowden?

The more you look at it, the more the Privacy Shield looks like a wishful rough draft produced mid-negotiations but in order to meet a looming deadline while facing the real risk that data protection authorities might just halt data flows completely, to devastating business and consumer effect.

So what happens next? The commission can go away and negotiate some more. Or, it can ignore all these well-voiced concerns, around the exact same issues, from a range of individuals and organisations that have extensive knowledge in the broad area of privacy, law and policy, and leave the agreement as is.

The proposed Privacy Shield – in whatever form the commission decides – will be given a final decision probably in July, when it goes before another group of EU officials.

Disdain?

However, such an extraordinary about-face from the US seems equally unlikely. And a looming presidential election in the US throws further uncertainty on where negotiations might go in future.

So what are businesses to do?

Unfortunately, there’s no easy answer. While many businesses – multinationals in particular – and lawyers (primarily US-based) assured companies that they could use a particular type of standard model contracts to cover the transfer issue, and the commission also indicated this to be the case, plenty of questions about their true validity have arisen since.

And, our own Data Protection Commissioner’s Office last week asked the ECJ to rule on whether such contracts satisfy data protection and privacy requirements in the absence of Safe Harbour or a replacement.

If they say no, then we are at a challenging stalemate.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.