Privacy Shield is already coming apart at the seams
The US-EU data-transfer agreement is up for review, but its flaws are all too obvious
A review of the Privacy Shield agreement will commence on Monday week.
On Monday week, the European Commission and the US government’s department of commerce will commence their first annual review of the Privacy Shield agreement, the none-too-sturdy structure which - at least for now - allows companies to move the data of Europeans to the US with relative ease.
Some 2,400 companies use the agreement, the replacement for the discredited Safe Harbour arrangement that was effectively thrown out by the European Court of Justice (ECJ) in its 2015 judgment in Max Schrems’s case challenging how his data was handled by Facebook.
The figure is less than half the number of firms that had signed up to Safe Harbour (about 5,500), a process that only demanded a button-clicking self-certifying exercise by companies on a designated webpage.
That insipid level of assessment - the privacy equivalent of our old charity regulations that used to let virtually anyone and anything claim to be a charity - was just one of the many reasons the ECJ rightly determined Safe Harbour was anything but for EU data.
The fact that an additional 3,000 companies that were in Safe Harbour haven’t certified under Privacy Shield raises questions about what they are doing now to achieve data transfer compliance.
The only other options are to use individually negotiated contracts (unlikely except for the very largest multinationals), or contract templates called model contracts.
Our Data Protection Commissioner is awaiting clarification from the Commercial Court on the adequacy of the latter.
Privacy Shield was hammered together at such relative speed (after years of sclerotic EU-US negotiations to improve Safe Harbour), and approved with so many details still fuzzy and compliance mechanisms untried, that scepticism has been rife over whether it would withstand scrutiny by the ECJ.
For its part, the Article 29 Working Party of EU state data protection authorities (WP29) expressed a range of doubts about Privacy Shield from the outset, and at the start of summer set out a list of concerns it wanted addressed in the annual review (after the initial date for the review was bumped from June to September).
These issues ranged from being able to collect evidence to verify the functioning of Privacy Shield to the scope of bulk collection of data by US surveillance agencies and the adequacy and independence of the US’s proposed “ombudsman” to oversee the agreement.
If the Obama-era data agreement was already on wobbly legs from the start - and it was - that situation has not improved under the Trump administration.
A succession of government actions, as well as some tediously inevitable Trump tweets, have caused some European officials to publicly express doubts about the US’s commitment to meeting EU data protection standards for data transfers, a key element of Privacy Shield.
Most ominous was a comment in August by European Data Protection Supervisor Giovanni Buttarelli, who said in an interview that Privacy Shield was “an interim instrument for the short-term. Something more robust needs to be conceived.”
He also noted that it was “surprising” that Trump’s government still had not appointed anyone to the critical ombudsman role, or named anyone to fill the four vacant positions on the US government’s Privacy and Civil Liberties Oversight Board (PCLOB), a watchdog that drove the necessary changes in some surveillance programmes revealed by Edward Snowden.
A week ago, Trump finally nominated a new chair for the PCLOB, but it isn’t someone who is likely to assuage EU concerns. The nominee, Adam Klein, previously has come down in favour of allowing warrantless searches of US citizen data gathered unintentionally in bulk data-snooping programmes under the controversial Section 702 of the Foreign Intelligence Surveillance Act.
However, the data of foreigners gathered “incidentally” in such campaigns currently has no protections at all, an ongoing concern for EU privacy advocates. Section 702 is due to expire this year, unless Congress votes to continue it.
Meanwhile, an ECJ ruling last month gave some insight into how the top EU court weighs up the adequacy of data-transfer provisions. The court stated that Canada needs to provide greater privacy safeguards to EU data gathered under a draft EU-Canada airline passenger name record data-transfer agreement.
The specifics of the ruling would suggest that, at the very least, Privacy Shield needs major redrafting if it is to survive an inevitable ECJ-level challenge. Two such cases are already potentially in the offing and awaiting possible referral, including one from Digital Rights Ireland.
Following the upcoming Privacy Shield review, the European Commission will issue a report. The WP29 has also signalled it may issue a report - surely a certainty unless, by some extraordinary last-minute transformation, Privacy Shield becomes a model agreement for seamless, trustworthy privacy protection.
The more likely outcome? Privacy Shield will need significant changes. And the US will be asked to provide assurances that the Trump administration will fundamentally be unable to do.
Make no mistake, this is a major business crisis slouching towards an ECJ which has firmly demonstrated it stands on the side of fundamental privacy protections.