Broken shield showing Access Now’s call to strike down Privacy Shield after the third annual review between U.S. and Europe
Groundhog Day for Privacy Shield Review by Jennifer Baker, EU Policy Correspondent

Groundhog Day for Privacy Shield Review

Third annual review follows familiar template

This week (18 September), international digital rights NGO, Access Now, called on the European Commission to strike down the Privacy Shield agreement that allows data sharing between EU and the US.

The arrangement was originally conceived as a replacement to the Safe Harbour regime, itself required because the US does not meet the EU adequacy standards for data protection. Since its implementation on August 1, 2016, more than 5,000 companies have signed up, voluntarily promising to respect European citizens’ privacy rights or face sanctions from the US Federal Trade Commission.

Earlier this month – 12-13 September – a delegation from the EU went to Washington to conduct the third annual review of the framework. Unsurprisingly those with an interest in upholding the deal found no major problems with it.

Europe Vice President for the Information Technology Industry Council (ITI), Guido Lobrano, said: “The Privacy Shield continues to perform well and deliver on its objectives, thanks in part to the European Commission’s ongoing work and the US government’s increased commitment to the effort.”

That “increased commitment” is the belated appointment of a State Department ombudsperson one of the key European demands after the last review. According to the White House: “The Trump Administration’s commitment to robust privacy protections for individuals has never been stronger.”

But Access Now says that the US administration has repeatedly failed to take the necessary steps to protect European privacy rights and described the Privacy Shield arrangement as “toothless.”

“While we welcome the fact that the U.S. is at least living up to its commitment under the Privacy Shield to complete the nomination process of the Ombudsperson, the mechanism remains inadequate to provide protection to the right to remedy that is essentially equivalent to that prescribed by EU law. The Ombudsperson mechanism does not meet the criteria for independence. As we have articulated previously, the location of the Ombudsperson mechanism under the Secretary of State cannot be considered adequately independent from the intelligence community and free from “improper influence,” said the NGO in its official assessment.

“The Privacy Shield is an ill-suited framework which does not guarantee people’s rights to privacy and data protection and does not comply with EU law,” said Estelle Massé, Global Data Protection Lead at Access Now. “By maintaining the Privacy Shield, the EU Commission weakens Europe’s data protection framework and risks undermining its global leadership role in advancing human rights,” she added.

“If the United States government has failed to protect the privacy rights of the American people, how can the EU expect the US to protect the digital rights of Europeans?” asked Jennifer Brody, Legislative Manager at Access Now. “The US administration has not followed through on the commitments it made under the Privacy Shield and continues to deploy surveillance technologies that target non-US persons. The arrangement must be struck down.”

The NGO added that that nascent discussions regarding a federal data privacy law in the US should not reassure EU regulators and decision-makers that the US will live up to its responsibility to pass a comprehensive law. The appointment to lead US intelligence agencies of “several individuals who have a record of undermining human rights,” is also a key concern.  “Despite some reforms and years of debates, mass surveillance is still lawfully permitted under a few authorities in the US, additionally, prominent controversies like the use of Facebook-held data by Cambridge Analytica underscore the limitations of the Federal Trade Commission (FTC) as a data protection authority.”

However, we’ve been here before, and as in previous years, the Commission will see fit to ignore this assessment. In a joint statement with US Secretary of Commerce Wilbur Ross, EU Justice Commissioner Vera Jourová said: “The broad and senior level participation from both sides underscored the shared and longstanding commitment of the United States and the European Union to the framework.”

“Privacy Shield ensures that participating companies and relevant government authorities provide a high level of protection for the personal data of EU individuals,” continued the statement.

“The European Commission will publish a report on the functioning of the Privacy Shield. This report will conclude this year’s review process.” In other words, don’t hold your breath for any radical overhaul.

The Business Software Alliance (BSA) welcomed – of course – the “positive and constructive discussions” held this week during the Privacy Shield annual review.

This should come as no surprise given the huge amount of international profits dependent on the framework. BSA’s EMEA Policy Director General, Thomas Boué, explained: “The rapid, seamless, and secure movement of data across borders is essential to the twenty-first century global economy. Companies of all sizes and across all sectors rely on cross-border data flows to do business on both sides of the Atlantic. This third, positive review of the Privacy Shield sends a clear signal about the importance of ensuring the continuation of EU-US data flows, particularly against the current backdrop of ongoing legal challenges to international data transfer mechanisms.”

In his recent paper, Obstacles to Transatlantic Harmonization of Data Privacy Law in Context, W. Gregory Voss from Toulouse Business School, examines how the fundamental differences between the EU and US attitude to privacy make any solution difficult to find.

“Globalisation seems to call for the harmonisation of laws, especially in sectors affecting global business, and this is all the truer with respect to laws affecting the technology industry, with the facility of its cross-border communications networks,” he says. “Data privacy law on both sides of the Atlantic benefits from common origins, but eventually divergence occurred, causing compliance challenges for companies and the potential halting of cross-border data flows from the European Union to the United States. Harmonisation could possibly obviate such difficulties, and there is a window of opportunity to achieve this with discussion in the United States of a potential federal data privacy law.”

But Voss points out three major obstacles to this: “laissez-faire policy and neoliberalism in the United States (and resulting focus on self-regulation there); the lobbying power of the US technology industry giants in a conducive US legislative system; and differing constitutional provisions on both sides of the Atlantic.”

He says that each of these elements makes “attaining true harmonisation more difficult, if not impossible.”

Meanwhile the Privacy Shield mechanism itself is facing a legal challenge in Europe’s top court, following a claim by three French digital rights groups — La Quadrature du Net, French Data Network and Fédération FDN — that it fails to uphold fundamental EU rights. If the general court decides that Privacy Shield is indeed in breach of EU rights, then all bets are off.