When the Privacy Shield framework that governs business transfer of personal data between Europe and the United States was struck down by the EU’s highest court last month, it left many US companies scrambling. Some were confronting the extreme possibility of having to set up separate processing systems based in Europe to transfer personal data.
The United States Department of Commerce and the European Commission are now discussing an enhanced reboot of the Privacy Shield that comes into compliance with the EU’s General Data Protection Regulation (GDPR), but the issue is politically thorny and there are serious questions about how feasible it is. The court’s ruling against Privacy Shield was based primarily on leaked knowledge of US government surveillance and eavesdropping policies; some of these are still not formally acknowledged, and some the US government has openly committed to continuing. Without serious privacy reform and a federal law in place in the US, it may not be possible to draft an agreement that survives another round of scrutiny in the EU court system.
An enhanced EU-US Privacy Shield framework?
A joint press release from the US Office of Public Affairs and the European Commissioner for Justice indicates that the two sides have ” … initiated discussions to evaluate the potential for an enhanced Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case.”
The invalidation of the Privacy Shield framework was caused by a lawsuit initiated by Max Schrems, an Austrian privacy advocate who has been challenging these international agreements in court since 2015. Schrems has a perfect record so far, taking down both Privacy Shield and its predecessor Safe Harbor. He’s been able to do so primarily because of the Edward Snowden leaks of 2013 that revealed broad surreptitious access to all private data that passes through the US (which is the majority of all of the world’s traffic given that the US hosts major internet exchanges). The EU’s highest court has consistently agreed with Schrems’ argument that privacy to the level required by the GDPR is not possible given the expected access that US intelligence agencies will have to this personal data.
The ruling not only requires the US to provide firm and immediate assurances that this data collection is no longer happening, but also prevents US companies from sending European data to any third-party vendors based in countries that do not have a GDPR-equivalent national privacy law.
Given that there has been no meaningful change in privacy laws or practices on the US end, there is little reason to believe that a “Privacy Shield II” would ultimately fare any better than its two predecessors. But the US and EU may well be anticipating this; a new agreement could simply be a delaying tactic to allow business to continue for some time while a new case works its way through the EU courts. Though the legal challenge to the Privacy Shield framework moved through the court system much more quickly than the Safe Harbor case did, it nevertheless took nearly four years to work its way from the initial filing to the European Court of Justice ruling.
There is one key term needed to potentially validate any new agreement in the eyes of the GDPR: a means by which European citizens can seek legal redress in the US if they believe a US government agency has improperly accessed or used their data. EU citizens presently have no such privacy rights in the US legal system. The previous Privacy Shield framework tried to get around this by appointing an ombudsman from the EU to reside in the US and act as a representative for its citizens, but the court found that the system did not provide adequate protection and its workings were not transparent enough.
There is a major sense of urgency in finding an alternative solution to the Privacy Shield framework. The court’s ruling leaves some leeway for companies to continue operating under existing valid Standard Contractual Clauses (SCCs), but they are expected to submit these to the relevant data protection authority (DPA) for review if they think that the agreements might not meet the terms established by the Schrems II ruling. It is possible that further action by the court might fully invalidate these SCCs in the near future.
Prospects for a long-term solution
Some observers, such as Chloé Messdaghi, VP of Strategy for Point3 Security, believe that the Privacy Shield framework situation is inherently intractable because of the massive tech industry leverage that the US companies hold: “To the public, it was a way to push for the U.S. to get onboard with surveillance reform as well as a push for business interests to do the same. In return, the situation provides the U.S. with two options: 1) to change their ways; or 2) companies will have to move their operations to Europe and split their systems into two parts. But let’s be real – did the EU do this to push for change? Or to ‘be seen’ by the public to push for change? Because the reality is the U.S. has their hands deep in tech platforms. Thus, the EU often bends backwards for the U.S. because of its power and control … the U.S. and EU are again trying to reach another ‘agreement’ to make sure everything continues to function. But whoever controls tech has the ability to do what they want – and since that’s the US, it prevents the EU from imposing anything because they don’t have equal standing.”
Given all of this, it seems highly likely that the EU and US will “kick the can down the road” with another Privacy Shield framework that is likely to be found inadequate by the court system. Albeit after another several years of legal wrangling, buying more time for a more pragmatic solution to be put into place. It’s still unclear as to what the ultimate solution to this conflict will be, but as CEO of Gurucul, Saryu Nayyar observes: “The European Union puts data privacy for its citizens first, ahead of Law Enforcement and State needs … Finding common ground will take negotiation and compromise, but it is vital. The data must flow.”