Two years later and it still sucks: Privacy Shield progress panned

MEPs remind everyone Facebook wasn't hauled off list. Roll on, review 2.0

Analysis More than two years in, Privacy Shield still isn't fit for purpose – and data protection experts and politicians want to see a bigger commitment ahead of its second annual review.

The agreement, rushed through in the summer of 2016 after its predecessor Safe Harbor was scrapped, governs data flows between the European Union and the US.

Although most critics agree that it provides more protection for EU citizens' data than Safe Harbor, concerns about oversight, enforcement, automated decision-making and US surveillance have been raised repeatedly.

Frustrations have mounted in recent months, as some changes called for in the first annual review – carried out in September 2017 – have yet to transpire. Those that have been made seem to have taken place at a glacial pace.

"Less progress has been made than expected," European data protection supervisor Giovanni Buttarelli said. "For instance, we were expecting a quicker appointment of members of the PCLOB [Privacy and Civil Liberties Oversight Board] – that was recommended as essential."

Although a chair was appointed shortly after the review, it took until March for two members to be nominated. But these, and further, appointments have yet to be finalised.

This week a coalition of 31 organisations called for the US administration to pull its finger out, noting that PCLOB – charged with overseeing the US spy agencies – had only had a quorum for four-and-a-half of its 11-year existence.

And of course it's about more than just bums on seats. "We're also pushing for the efficiency and functionality of the body," Buttarelli said.


EU-US Privacy Shield not up to snuff, data tap should be turned off – MEPs


Critics also complain about a lack of clarity on national security issues, and on arrangements for the ombudsperson who handles such complaints – not least because the current holder of that position, Judith Garber, has been nominated as US ambassador to Cyprus.

"We don't have any information on who is going to replace her as acting ombudsperson," said Andrea Jelinek, chair of the European Data Protection Board, which is made up of the leaders of the EU's privacy watchdogs.

She said that a July meeting with Garber had been "interesting and collegial, but did not provide any conclusive answers regarding our concerns".

Face up to privacy limits: Mass surveillance

But one of the issues that looks less likely to be resolved is that of national security and mass surveillance; critics are concerned about routine access to data under the deal, but a lack of transparency makes it hard to unpick.

For instance, MEPs were disappointed the US didn't embed Presidential Policy Directive 28 (PDF) – which states surveillance activities need to safeguard personal information regardless of where the person resides – into the Foreign Intelligence Surveillance Act when it was re-authorised at the end of last year.

Now, they want evidence that data collection under FISA 702 isn't indiscriminate and isn't conducted in a generalised, bulk manner, which would run against the EU Charter on Fundamental Rights.

"Because of the differences between the two legal systems, we still have concerns about the chance Privacy Shield can be viewed as a legitimation of routine access by certain authorities," Buttarelli said. "We've been asking for more precise information about mass surveillance in practice... for more tangible measures and improvements when it comes to US surveillance."

But, as Buttarelli acknowledged, intelligence services rarely go public about the detail of their activities – a point that Tene emphasised.

"The heart of the matter, I think, is not going to be resolved," he told The Reg. "At the end of the day, section 702 has been extended and I don’t anticipate any fundamental changes in the way that the intelligence agencies operate as result of the Privacy Shield."

Rather, Tene wants to see a more pragmatic view that focuses on enforcing the deal within these confines; being aware that data protection agencies don't have jurisdiction over any nation's intelligence agencies.

"That was the European Commission's approach, and I fully expect it will continue to be the approach going forward," he said.

"They can look at the oversight mechanism, PCLOB, ombudsman – but beyond that everyone recognises that if the EU institutions are willing to break this deal over that, then the prospect for continued data flows are pretty grim."

Suspend the deal? We can... but won't

Pressure has also come from the European Parliament, which in July called on the European Commission to suspend the deal if such concerns hadn't been addressed by 1 September – but as we hit the end of August, the holes remain.

Commissioner Vera Jourová has said that her institution wouldn't hesitate to suspend the deal if it was necessary – but her spokesman Christian Wigand told The Reg it wasn't warranted at this stage.

"All elements on which our adequacy finding was based have remained in place since the new US administration took office," he said. "And we have seen some improvements and new appointments in relevant bodies and authorities."

Claude Moraes, chairman of the civil liberties committee (LIBE) that brought the resolution to the parliament, said the idea was to keep the pressure on institutions to make sure the deal was watertight.

Pointing to legal challenges already launched at the deal, he told The Register it was "negligent" to allow it to fall entirely to the Court of Justice of the European Union.

"We don't believe in its current form that it is adequate yet, and the main consequence of that is that the court of justice may well invalidate the decision," he said. "Following Safe Harbor – and the time that has elapsed since then – we can't afford to have that happen again."

Moraes is clear that the MEPs aren't pushing for the deal to be scrapped without due consideration – rather they want to use their influence in the EU to emphasise the problems that haven't been fully addressed.

Among these is how US authorities will enforce the deal, especially since it allows companies to self-certify – some 3,689 have to date – and even the commission has called for more proactive and regular monitoring of compliance.

Yep, Facebook and Cambridge Analytica covered themselves in Privacy Shield... and stayed on the list – MEPs

And there's one obvious example that MEPs were keen to raise: both Facebook and Cambridge Analytica were registered and stayed on the list (CA's participation has since lapsed, which is unsurprising given its bankruptcy filings).

Moraes argued that removing them from the list "would have contributed to enhance the trust of individuals and the credibility of the system", but added that a recent meeting with the Federal Trade Commission (which enforces compliance with Privacy Shield terms) was satisfied the reason was not that Facebook was too big to take on.

For its part, an FTC spokesman told El Reg that it takes enforcement "very seriously" and pointed out it had brought four cases related to Privacy Shield since it went into effect.

EU egg timer, photo via Shutterstock

Privacy Shield under pressure as lawyers back MEPs' call for suspension


Omer Tene, veep of the International Association of Privacy Professionals and a member of Privacy Shield's arbitration panel, noted that the complaints procedure has a clear escalation process.

"To the best of my knowledge, there hasn't been a single such case [referred from the European DPAs to the FTC], so before pointing fingers at the FTC for lack of enforcement, it's worth asking whether there have been any complaints," he said.

The commission said that how the FTC and Department of Commerce works with EU DPAs, how companies are certified and monitored, and what mechanisms companies have for speedy handling of complaints will all be assessed in the second annual review.

Attitude shifts make second review all the more crucial

However, one thing that's inescapable is how much the tides have turned since the last annual review.

The Facebook saga brought privacy to the public's attention and got big tech firms hot under the collar; the General Data Protection Regulation came into force; and California's privacy law turned up the heat on Washington.

"The incredible shift in policy stance over the past few months has been astonishing," said Tene. "If you looked at this last year, anyone would tell you there was a slim chance of the US actually pursuing federal privacy legislation. Now, it looks like it may be even a likely development this year."

Buttarelli agreed, saying that the "debate of the '80s and '90s over regulation versus self-regulation is now really old fashioned", while Jelinek said that US policymakers needed to take notice of this paradigm shift "and step up their efforts to make reforms".

And change isn't just happening in the US – other countries are now drawing up data adequacy deals with the EU; Japan concluded talks in July, while South Korea is also in the pipeline.

For Buttarelli, this makes Privacy Shield's second annual review – slated to take place on 18-20 October – even more crucial.

"The second review is much more important than the first one," he said. "It's relevant because of other adequacy decisions – we need to make sure the right precedent is set, because otherwise any law enforcement or intelligence services around the world can say, why not me?" ®

Other stories you might like

  • Share your experience: How does your organization introduce new systems?

    The answer is rarely obvious. Take part in our short poll and we'll find out together

    Reg Reader Survey The introduction of new systems into an organization is essential. If we stay still, if we continue to rely on legacy systems, if we fail to innovate – well, we (or, in reality, the company) will die. As business guru Sir John Harvey-Jones once put it: “If you are doing things the same way as two years ago, you are almost certainly doing them wrong.”

    But who should lead innovation in our companies? Who should be introducing new systems? The answer is not obvious.

    On one hand, the introduction of new systems into the business should be led by the business. In principle, the people doing the work, dealing with the suppliers, selling to the customers, are best placed to be standing up and saying: “We need the system to do X,” whether their motivation be to reduce cost, increase revenues, make products more efficiently, or even bolster our environmental credentials.

    Continue reading
  • These Rapoo webcams won't blow your mind, but they also won't break the bank

    And they're almost certainly better than a laptop jowel-cam

    Review It has been a long 20 months since Lockdown 1.0, and despite the best efforts of Google and Zoom et al to filter out the worst effects of built-in laptop webcams, a replacement might be in order for the long haul ahead.

    With this in mind, El Reg's intrepid reviews desk looked at a pair of inexpensive Rapoo webcams in search for an alternative to the horror of our Dell XPS nose-cam.

    Rapoo sent us its higher-end XW2K, a 2K 30fps device and, at the other end of the scale, the 720p XW170. Neither will break the bank, coming in at around £40 and £25 respectively from online retailers, but do include some handy features, such as autofocus and a noise cancelling microphone.

    Continue reading
  • It's one thing to have the world in your hands – what are you going to do with it?

    Google won the patent battle against ART+COM, but we were left with little more than a toy

    Column I used to think technology could change the world. Google's vision is different: it just wants you to sort of play with the world. That's fun, but it's not as powerful as it could be.

    Despite the fact that it often gives me a stomach-churning sense of motion sickness, I've been spending quite a bit of time lately fully immersed in Google Earth VR. Pop down inside a major city centre – Sydney, San Francisco or London – and the intense data-gathering work performed by Google's global fleet of scanning vehicles shows up in eye-popping detail.

    Buildings are rendered photorealistically, using the mathematics of photogrammetry to extrude three-dimensional solids from multiple two-dimensional images. Trees resolve across successive passes from childlike lollipops into complex textured forms. Yet what should feel absolutely real seems exactly the opposite – leaving me cold, as though I've stumbled onto a global-scale miniature train set, built by someone with too much time on their hands. What good is it, really?

    Continue reading
  • Why Cloud First should not have to mean Cloud Everywhere

    HPE urges 'consciously hybrid' strategy for UK public sector

    Sponsored In 2013, the UK government heralded Cloud First, a ground-breaking strategy to drive cloud adoption across the public sector. Eight years on, and much of UK public sector IT still runs on-premises - and all too often - on obsolete technologies.

    Today the government‘s message boils down to “cloud first, if you can” - perhaps in recognition that modernising complex legacy systems is hard. But in the private sector today, enterprises are typically mixing and matching cloud and on-premises infrastructure, according to the best business fit for their needs.

    The UK government should also adopt a “consciously hybrid” approach, according to HPE, The global technology company is calling for the entire IT industry to step up so that the public sector can modernise where needed and keep up with innovation: “We’re calling for a collective IT industry response to the problem,” says Russell MacDonald, HPE strategic advisor to the public sector.

    Continue reading
  • A Raspberry Pi HAT for the Lego Technic fan

    Sneaking in programming under the guise of plastic bricks

    There is good news for the intersection of Lego and Raspberry Pi fans today, as a new HAT (the delightfully named Hardware Attached on Top) will be unveiled for the diminutive computer to control Technic motors and sensors.

    Continue reading
  • Reg scribe spends week being watched by government Bluetooth wristband, emerges to more surveillance

    Home quarantine week was the price for an overseas trip, ongoing observation is the price of COVID-19

    Feature My family and I recently returned to Singapore after an overseas trip that, for the first time in over a year, did not require the ordeal of two weeks of quarantine in a hotel room.

    Instead, returning travelers are required to stay at home, wear a government-issued tracking device, and stay within range of a government-issued Bluetooth beacon at all times for a week … or else. No visitors are allowed and only a medical emergency is a ticket out. But that sounded easy compared to the hotel quarantine we endured in 2020.

    Continue reading
  • Intel teases 'software-defined silicon' with Linux kernel contribution – and won't say why

    It might enable activation of entirely new features on existing Xeon CPUs … or, you know, not

    Intel has teased a new tech it calls "Software Defined Silicon" (SDSi) but is saying almost nothing about it – and has told The Register it could amount to nothing.

    SDSi popped up around three weeks ago in a post to the Linux Kernel mailing list, in which an Intel Linux software engineer named David Box described it as "a post-manufacturing mechanism for activating additional silicon features".

    "Features are enabled through a license activation process," he wrote. "The SDSi driver provides a per-socket, ioctl interface for applications to perform three main provisioning functions." Those provisioning functions are:

    Continue reading
  • Chip manufacturers are going back to the future for automotive silicon

    Where we're going, we don't need 5nm

    Analysis Cars are gaining momentum as computers on wheels, though chip manufacturers' auto focus isn't on making components using the latest and greatest fabrication nodes.

    Instead, companies that include Taiwan Semiconductor Manufacturing Co and Globalfoundries are turning back the clock and investing billions in factories that use older manufacturing techniques to make chips for vehicles.

    The rapid digitization and electrification of cars has created a giant demand for smaller, more power-efficient auto chips, said Jim McGregor, principal analyst at Tirias Research. He added that cars don't necessarily need the latest manufacturing processes, though, and many are still using analog-based components for various functions.

    Continue reading

Biting the hand that feeds IT © 1998–2021