The European Parliament on Thursday adopted a resolution (PDF) strongly criticizing the EU-US Privacy Shield. Privacy Shield is the mechanism jointly developed by the European Commission and the US government to replace the earlier Safe Harbor, struck down by the European Court of Justice in 2015. Its purpose is to allow the transfer of EU personal information from Europe to servers in the US.
European law requires that personal information can only be transferred to geographical locations with an equivalent or ‘adequate’ level of privacy protection. With very different attitudes towards privacy between the US and the EU, it is unlikely that US data protection will ever be considered adequate for EU data. Privacy Shield is designed to provide an agreement between individual US organizations and the EU that they will handle EU data in a manner acceptable to European standards.
Although Privacy Shield has been agreed between the EC and the US and is already in operation it is not without its critics— not the least of which is the European Parliament. The stakes are high. While this is not the only legal mechanism for the export of European data to the US, it is the primary one. Others include standard contractual clauses (SCCs); but SCCs are already being challenged by Max Schrems in the Irish High Court. Without an acceptable lawful mechanism, there can be no trade between the US and the EU.
It is generally considered that SCCs will eventually be declared unlawful. “There is the ongoing case in Ireland regarding Standard Contractual Clauses,” European privacy consultant Alexander Hanff told SecurityWeek. “This is likely to reach the CJEU and be ruled on in a similar fashion to Safe Harbor which, although will not have a direct impact on Privacy Shield, quite clearly shows the result similar cases (including Binding Corporate Rules and Privacy Shield itself) are likely to achieve.”
There is therefore a lot riding on the continuing legality of Privacy Shield. For the moment, this is not as immediately concerning as it may seem. “The EP resolution follows the statement earlier this week from the Commission indicating a review in the Fall,” comments David Flint, a senior partner at the MacRoberts law firm. “At this stage, it is merely a reminder of all the matters that the Commission should take account of and noting the residual powers of national DPAs to ban transfers, whilst restating the EP’s concerns.”
Hanff agrees that there will be little immediate outcome from this resolution. “I am pretty sure that the Commission can ignore the motion and are likely to do so because frankly what other choice do they have at the moment — if they agree to it, then they are basically accepting that they failed, and the Commission are really not that humble.” Politically, he sees a rift in the current Commission between those focused on digital rights and those focused on the Digital Economy; with the latter in the ascendency.
This doesn’t mean that there is not a problem. Individual national data protection authorities (DPAs) “do have the power to effectively shut down Privacy Shield by banning transfers based on it on the grounds that it does not meet adequacy requirements,” continued Hanff. “They have not done so to date — I suspect because they have been giving the Commission and the US Government a chance to fix it — but it seems highly unlikely that that will ever happen.”
Hanff notes that there is little actual progress on the Privacy Shield agreement from the US side. “When you consider there is still no Ombudsman and that the Privacy and Civil Liberties Oversight Board is reduced to a non-quorate position where only one of its five seats are currently occupied… even if you completely ignore the woeful inadequacies of the agreement, you cannot ignore that some of the major assurances of that agreement have quite simply not been met. I suspect it is only a matter of time now before one or more of the EU’s DPAs makes a stand.” The French authority, CNIL, has demonstrated that it would not be afraid to do so, with recent actions against both Google and Microsoft.
One further complication is a hardening of attitudes with the arrival of the Trump administration. “There is no detailed consideration of possible changes as a result of the new US administration, although that remains a significant concern,” comments Flint. “The recent policy changes on net neutrality and ISP data sharing exacerbate the concern.”
Hanff is more forthright. “One should also be asking questions with regards to the Trump administration and US Congress wiping out ISP privacy rules last week. One must understand that whereas many people focus on the transference of data to a third country when they discuss Privacy Shield (in the case of Privacy Shield, specifically the US) it is not just about the right to transfer; it stems from the right to process – so we must now consider whether a European Citizen visiting the US and using a US carrier for data and voice, have their rights undermined by these recent changes. The obvious answer is yes; however, how we deal with that is much less obvious.”
The European Commission is caught in a modern Morten’s Fork of its own making. It was instrumental in developing European data protection laws (for human rights reasons), but doesn’t wish to abide by them (for economic reasons). Much will hinge on the EC-US talks in the Fall; but today’s European Parliament resolution has indicated to the EC what it expects.
If there is no significant move by the US administration to satisfy European concerns, then a rapid legal challenge to the Privacy Shield can be expected. But it should also be noted that the national DPAs do not have to wait for a legal judgment before taking action. The Schrems case that brought down the original Safe Harbor also made it clear that DPAs cannot be bound by EC promulgations. They have, as Hanff notes, “the power to effectively shut down Privacy Shield by banning transfers based on it, on the grounds that it does not meet adequacy requirements.”