EU-US Privacy Shield is dead. Long live Privacy Shield

As the saying goes, insanity is doing the same thing over and over again and expecting different results.

And so we arrive at the news, put out yesterday in the horse latitudes of summer via joint press statement, that the EU’s executive body and the US Department of Commerce have begun talks toward fashioning a shiny new papier-mâché ‘Privacy Shield’.

“The U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case,” the pair write.

The EU-US Privacy Shield, as you may recall, refers to the four-year-old data transfer mechanism which Europe’s top court just sunk with the legal equivalent of a nuclear bomb.

Five years ago the same court carpet-bombed its predecessor, a fifteen-year-old arrangement known — without apparent irony — as ‘Safe Harbor’.

Thousands of companies had been signed up to the Privacy Shield, relying on the claimed legal protection to authorize transatlantic transfers of EU users’ data. The mirage collapsed on cue last month, raising legal questions over continued use of cloud services based in a third country like the US — barring data localization.

Alternative data transfer mechanisms do exist but data controllers wanting to use an alternative tool, like Standard Contractual Clauses (SCCs), to take EU citizens’ data over the pond are legally required to carry out an assessment of whether US law provides adequate protections. If they cannot guarantee the data’s safety they cannot use SCCs legally either. (And if they go ahead they are risking costly regulatory intervention.)

The fall of Privacy Shield should really have shocked no one, given the warnings, right from the get-go, that it amounted to ‘lipstick on a pig‘. Nothing has changed the fundamental problems identified by the Court of Justice of the EU in 2015 — so carrying on doing bulk data transfers to the US was headed for the same legal slapdown.

The basic problem is the mechanism failed to do what’s claimed on the tin. Which is to say EU people’s personal data is not safe as houses over there because US government security agencies have their hands in tech platforms’ cookie jars (and all the other jars and tubes of the modern Internet), as the 2013 Snowden revelations illustrated beyond doubt.

Nothing since the Snowden disclosures has substantially reworked US surveillance law to make it less incompatible with EU privacy law. President Obama made a few encouraging noises but under Trump the administration has dug in on helping itself to people’s data without a warrant. So it’s closer to a funnel than a shield.

Turns out neither a ‘Shield’ nor a ‘Harbor’ were metaphors grand enough to paper over this fundamental clash of legal priorities, when a regional trading bloc with long standing laws that protect privacy butts up against an alien regime that rubberstamps digital intrusion on national security grounds, with zero concern for privacy.

And so we arrive at the prospect of a new, papier-mâché ‘Privacy Shield II(I)’ — which looks to be the most appropriate metaphor for this latest round of EU-US ‘negotiations’ aimed at cobbling something together to buy more time for data to keep flowing. Bottom line: Even if Commission and US negotiators ink something on paper any claimed legal protections will, without root and branch reform of US surveillance law, sum to another sham headed for a speedy demolition day in court. 

It’s also worth noting that Europe’s judges are likely to step on the gas in this respect, with Privacy Shield standing for just a fraction of the time Safe Harbor hung around. So any Privacy Shield II (III if you count Safe Harbor) would likely get even shorter shrift. 

Not that legal reality and legal clarity is preventing fuzzy soundbites from being despatched from both sides of the Atlantic, of course.

“The European Union and the United States recognize the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies. We share a commitment to privacy and the rule of law, and to further deepening our economic relationship, and have collaborated on these matters for several decades,” the pair write in a fresh attempt to re-spin a legal car crash disaster that everyone could see coming, years ahead.

“As we face new challenges together, including the recovery of the global economy after the COVID-19 pandemic, our partnership will strengthen data protection and promote greater prosperity for our nearly 800 million citizens on both sides of the Atlantic.”

There’s no doubting the appetite of the Commission and the US Department of Commerce share for data to keep flowing. Both prioritize ‘business as usual’ and lionize their notion of “prosperity”, to the degree where they’re willing to turn a blind eye to rights impacts (including the Commission).

However neither side has demonstrated that it posses the political clout and influence to remake the US’ data industrial complex — which is what’s needed to meaningfully ‘enhance’ Privacy Shield. Instead, we get publicity for their next pantomime.

We’ve reached out to the Commission with questions, lots of questions.


Read the original post: EU-US Privacy Shield is dead. Long live Privacy Shield

Organize your team with Milanote.