Analysis The European Union's attempts to make data transfers to the United States compliant with privacy laws are an opaque exercise, so much is obvious, but will they work?
It's clear that it is necessary to retain the Transatlantic data trade – in economic terms, but also as a means of preventing the Balkanization of the internet. However, some people question whether the process of replacing Safe Harbor with Privacy Shield leaves the final outcome in an area of legal difficulty. Europeans' data is still being left open to mass surveillance in the US, but now with a supposed means of redress via a US Ombudsman reporting directly to the Secretary of State.
US corporations are shifting EU citizens' data into a jurisdiction whose lawmakers would be revolted by Brussels' notions of exposing State powers to the light of independent oversight bodies. However, between the turn of the millennium and 2015, the EU politely and resolutely ignored that elephant in the room.
For many years and despite much criticism, the EC stood by the claim that the Yanks' legal principles complied with those of its own Data Protection Directive, even doing so after a US National Security Agency (NSA) whistleblower provided some documentary evidence countering that claim.
Thus, when rogue sysadmin Edward Snowden made the activities of the NSA's PRISM programme (Planning tool for Resource Integration, Synchronization, and Management) known, it actually fell to Max Schrems to make a legal complaint about Facebook facilitating these extralegal abuses (at least under the EU's definitions of legality). The European Court of Justice ultimately conceded that Safe Harbor was indeed invalid, suddenly there was no legal basis for American megacorps to continue quaffing Europeans' data.
Not that those companies cared, or agreed even. Facebook, Microsoft, and Salesforce have continued to shuttle Zuckabytes back home through "model clauses" contracts, a measure which is again being challenged by Schrems. Even if this workaround is shot down, however, both the EU and US have been working on the new agreement, dubbed Privacy Shield, which intends to meet the failures in Safe Harbor that Snowden, Schrems and others brought to light.
Leaving aside the long list of missed deadlines, the first attempts by the EU at improving the situation came through Article 29 of the Data Protection Directive, or Directive 95/46/EC – creatively known as the Article 29 Working Party.
The working party was initially responsible for a number of criticisms of the Privacy Shield agreement, welcoming its "significant improvements" compared to Safe Harbor, but noting that "some key data protection principles ... are not reflected" in the draft.
This was just an opinion, however, and not binding – and so when the US brushed off its claims that its Ombudsman would not truly be independent, nor provide an adequate means of redress if Europeans' data was unlawfully probed, that was that.
The US, of course, delivered a written assurance that mass surveillance of EU citizens would not take place in the United States, but its definition of mass surveillance is likely to be strongly contested, and the Ombudsman almost certainly will not have investigatory powers (as per the UK's Interception of Communications Commissioner's Office) to ensure compliance.
The European Parliament subsequently adopted a resolution on May 26 which said that it too considered that, "this new institution [the US Ombudsman] is not sufficiently independent and is not vested with adequate powers to effectively exercise and enforce its duty."
Amendments were made to the draft, and last Monday the Article 31 Committee, made up of representatives from member states and also founded through an article of the Data Protection Directive, made its own amendments.
It is not clear what amendments were made, however, but a qualified majority (more than 16 member states, representing over 65 per cent of the European Union's population) approved the final version of the EU-US Privacy Shield agreement last Friday. Representatives from four nations – Austria, Bulgaria, Croatia, and Slovenia – abstained.
In a statement issued then by Vice-President Andreas Ansip and Commissioner Vera Jourová, the Privacy Shield agreement was set to "ensure a high level of protection for individuals and legal certainty for business."
It is fundamentally different from the old 'Safe Harbour': It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.
For the first time, the US has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms, and it has ruled out indiscriminate mass surveillance of European citizens' data.
Writing on the matter, Privacy International's legal officer Tomaso Falchetta stated that: "Given the flawed premises trying to fix data protection deficit in the US by means of the Obama Administration's assurances – as opposed to meaningful legislative reform – it is not surprising that the new Privacy Shield, at least as it appears in the leaked version, remains full of holes and offers limited protections."
He said: "The coming days will likely see the adoption of this flawed text by the EU, but it is unlikely to be the final chapter of the EU-US data transfer saga. Because it fails to address the concerns expressed by the Court of Justice of the EU in the Schrems' case last year, the new Privacy Shield, if adopted in the current form, is likely to be challenged in courts."
Many law firms and businesses have welcomed the agreement, however, with Nick Fury Microsoft leading the bunch. A blog by John Frank, Microsoft's veep for EU government affairs, restated the company's desire to implement the Privacy Shield requirements.
"Safe Harbor fell short of what European data protection rules required, and I believe the Privacy Shield now meets each of those requirements," wrote Frank.
"The Privacy Shield secures Europeans' right to legal redress, strengthens the role of data protection authorities, introduces an independent oversight body, and it clarifies data collection practices by US security agencies," he added, noting that "in addition, it introduces new rules for data retention and onward transfer of data."
Omer Tene, the veep of research and education at the International Association of Privacy Professionals, said that "the approval of Privacy Shield, an arrangement facilitating commercial data flows between the EU and US, concludes a process set off by the Snowden revelations about the extent of security agencies' access to communications data."
"Companies were caught between strong government interests on both sides of the Atlantic," added Tene, "increasing risk and legal costs. [Privacy Shield], which includes commitments by both self-certifying companies and the US Government, will mitigate uncertainty and risk and increase trust in the global digital economy."
Kuan Hon, a consultant lawyer at Pinsent Masons, was not so convinced, however, stating: "It's very likely that the Privacy Shield (if adopted by the Commission next week as expected) will be challenged by activists or data protection authorities, but it depends on what concessions the Commission managed to get from the US – especially on mass surveillance."
"If the Privacy Shield adequacy decision is challenged, the CJEU [Court of Justice of the European Union] is likely to expedite the hearing given the importance of this issue," Hon added.
"Ultimately, the CJEU will have the final say here, and at this stage we can't predict whether they would uphold the Privacy Shield decision or invalidate it, and if so on what grounds."
The current content of the Privacy Shield agreement is not known, and likely will not be known until the commission approves the agreement – which is expected to happen this week. This is the last and final step in the process of replacing Safe Harbor, at least from the politicos in the EU, but is mostly a formality, with the agreement having quickly gone through the other bureaucratic instruments.
"It would have been nice if the overall version [of the agreement] had been made public," Hon told The Register. But she did not think this in particular would provoke challenges, but rather understood that the private drafting procedure was considered conducive to "free discussion" among policy makers.
She added that she would be "surprised if Privacy Shield was not challenged by activists or regulators," however, particularly considering the interest in this issue from Germany's data protection authority.
In a conference call on the agreement, Sidley Austin lawyers Cameron Kerry and Maarten Meulenbelt also stated that a challenge seemed likely, but would differ greatly from that which brought down Safe Harbor. Meulenbelt noted that the ruling against Safe Harbor was a procedural matter, declaring that that "there had been something the Commission should have looked at" in the original agreement – namely the lack of oversight in the US system.
Kerry stressed that the oversight was required solely in terms of the original PRISM programme and did not pertain to the tapping of transatlantic fibres. While PRISM was considered a targeted programme, the lack of a means of redress was an area of incompatability in the law.
Challenge is equally expected from the chief European spokesperson at Skyhigh Networks, Nigel Hawthorn, who said: "There's no doubt that this agreement will be challenged immediately if it comes into force and the EU Court will ultimately decide if it is lawful" – though he had no prediction to offer there.
"In the meantime, businesses have to move forward and European customers are increasingly voting with their wallets by signing up with cloud services hosting data in the EU or encrypting data before uploading it to the cloud, thus ensuring data never leaves the EU," added Hawthorn. ®