The long-running kerfuffle over the so-called Privacy Shield EU-US data protection agreement took another lurch this week after politicos announced plans to ponder an "enhancement" to the framework.
The joint statement from US Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders comes in the wake of a July judgement by the Court of Justice of the European Union in the Schrems II case that effectively took a hatchet to the framework, declaring it invalid.
The Privacy Shield enables the data of EU citizens to be sent to US companies for storage and processing, and has survived repeated reviews by the European Commission. Austrian privacy activist Max Schrems kicked off the long-running case (often referred to as 'Schrems II') complaining that once his data was in the US there were no legally enforceable EU-style protections to prevent US authorities having a nose around in it.
An axe age, a sword age, Privacy Shield is riven, but what might that mean for European businesses?READ MORE
While last month's ruling did not strike down the Standard Contractual Clauses (SCCs) used as opt-outs by many companies, it seems likely that they too will come under the gimlet gaze of the courts before long.
Which brings us back to what can be done to put Humpty back together again and what enhancements could be made to the Privacy Shield to keep the data, and the money, flowing.
Neil Brown, tech lawyer at decoded.legal, told The Register that attempting to patch up the agreement would "end up being a case of 'different wallpaper, same cracks'" and pointed out that while Section 702 of the US Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 remained in place, "it would be challenging, in my view, to come up with a 'Privacy Shield' arrangement which was not vulnerable to being struck down.
Safe Harbour ruled INVALID: Facebook 'n' pals' data slurp at riskREAD MORE
What's all this about SCCs – are they good enough or not?
Bill Mew, founder and CEO at Crisis Team, has said SCCs could be on dodgy ground when it comes to FISA 702, since the Act applies to "electronic communication service providers" (ECSPs). "All the US cloud firms fall under FISA 702," he commented, which could have worrying implications for those outsourced to a US outfit, even if the server is located in the EU. Mew described the location of hosting as "irrelevant".
The US's Clarifying Lawful Overseas Use of Data (CLOUD) Act 2018 allows a US court to demand personal data held by a US company, anywhere in the world.
Decoded's Brown told The Register: "The court is clear that, in themselves, the SCCs remain valid."
However, he added: "To achieve a standard of protection which is 'essentially equivalent' to that of the GDPR, companies transferring personal data out of the EU will be expected to do more than simply sign them with the recipient: they need to investigate the laws of each recipient country, and determine that the combination of the SCCs, those laws, and any other measures which they can put in place, give sufficient protection.
"Fine, perhaps, in theory. Until there's a free, consolidated resource of all relevant laws for each country around the world – perhaps a job for the European data protection regulators? — this could be simply out of reach for companies without deep pockets.
"Clearly, each transfer will need its own assessment but, in terms of transfers to the USA, since Privacy Shield has been found to offer insufficient safeguards, one might question if SCCs alone are up to the job. Worse, given the laws which the CJEU felt were particularly problematic, I question what, if any, additional measures a company could use while still getting the benefit of the transfer?
"In practice, since the totality of the ICO's advice is 'take stock of the international transfers you make and react promptly as guidance and advice becomes available', and that it will take a 'risk-based and proportionate approach' to enforcement, one might forgive companies for assuming they need to do very little, if anything, for now."
Julie Brill, corporate vice president for Global Privacy and Regulatory Affairs and Chief Privacy Officer at Microsoft, insisted last month that the SCCs remained valid and that "our customers are already protected under SCCs" – even as Privacy Shield was struck down.
Brill also pointed out that Microsoft had gone as far as the US Supreme Court to challenge orders seeking access to data. Customers, however, would be forgiven for preferring something a little more legislative to depend on rather than the legal largesse of a cloud giant. As Brill observed: "We'll work collaboratively with governments and policymakers as they shape new approaches."
If the Privacy Shield arrangement is to be resurrected in a manner that could resist swatting by the courts, it would need a change in US law. "I suspect that the USA's appetite for doing this is unlikely," said Brown.
Or perhaps those in the EU could be given rights to challenge US surveillance programmes before US courts?
"It's possible, I guess, but seems unlikely."
While politicos ponder what "enhancements" might deal with the blow dealt to the Privacy Shield, companies would do well to take a long, hard look at the T&Cs of their providers or run the risk of being expensively caught out. ®
* Schrems I, for those who recall, was the case that killed off Safe Harbor, the data protection arrangement that Privacy Shield was supposed to replace.