EU, US close to replacing defunct Privacy Shield II
If you transfer data to America from Europe, listen up
Updated The State of the Net conference in Washington, DC, has heard officials representing the EU and the US say they believe they are close to reaching a data-sharing agreement to replace Privacy Shield.
The earlier legal arrangements to ease the vital sharing data between the two jurisdictions was kiboshed in 2020 when the EU Court of Justice struck down Privacy Shield in what became known as the Schrems II ruling.
What is Schrems I?
In the first case, arising from a complaint filed with the Irish Data Protection Commissioner in 2011, privacy activist Max Schrems ultimately toppled the biggest EU-US data-sharing deal, Safe Harbor. Schrems had alleged that Facebook violated the so-called Safe Harbor agreement which protects EU citizens' privacy, by transferring its users' data to the US National Security Agency (NSA).
In the Schrems I ruling, in 2015, Europe’s highest court ruled that data sharing between the EU and US under the Safe Harbor framework was invalid.
What is Schrems II?
Schrems, a former law student, brought the latest edition of the long-running case (informally known as Schrems II) in 2015, complaining that Ireland's data protection agency still wasn't preventing Facebook Ireland Ltd (as EU representative of the Zuckerberg empire) from beaming his data to the US under Privacy Shield.
In July 2020, the EU Court of Justice struck down the so-called Privacy Shield data protection arrangements between the political bloc and the US, triggering a fresh wave of legal confusion over the transfer of EU subjects' data to America.
Earlier this week, reports from the State of the Net conference suggested progress is indeed being made on agreeing on a replacement.
"We definitely recognize that there has been a lot of instability in data transfers and that companies are operating in an environment of uncertainty right now," US Department of Commerce Privacy Shield Director Alex Greenstein told the conference.
"We and our partners in Europe are trying to conclude this negotiation as quickly as possible. We recognize this is having an impact on US companies but also EU companies."
According to legal website Law360, he said his team and EU officials were tackling ambiguity around international information exchanges as quickly as possible.
In the absence of a replacement for Privacy Shield, companies have been forced to fall back on standard contractual clauses, or SCCs, to cover international data sharing between the EU and the US. As well as being time consuming to implement, SCCs may not be watertight.
In January, a ruling by the Austrian data protection authority found that SCCs are not sufficient to comply with EU law and that so-called technical and organisational measures (TOMs), such as data centre security and baseline encryption, are also insufficient.
The complainant in the case, legal campaign group noyb, had visited the website of a publisher while logged into a Google account, which was linked to the complainant's email address. The site contained embedded HTML code for Google services, including Google Analytics. The website processed personal data such as IP address and cookie data. The data had been transferred to Google, putting it under the purview of the European General Data Protection Regulation (GDPR).
That case was followed by a similar ruling in France.
Accordingb to Sean Heather, senior vice president of regulatory affairs for the US Chamber of Commerce, a data transfer pact will be agreed soon and that tyhe conflict in Ukraine would accelerate it.
"I do think this has put a renewed emphasis on the importance of transatlantic talks. I'm not in the negotiating room. I'm not at the table, but I feel like we have a chance to see something maybe mid-spring, late spring, early summer. That would be the window that I'm watching right now," Heather commented.
In February, reports suggested officials on both sides of the pond had reached an approach that might involve offering EU citizens the right to submit complaints to an independent judicial body if they believe the US national security agencies have unlawfully handled their personal information. If adopted, it would give EU citizens more privacy rights in the US than Americans currently enjoy.
- EU proposes law forcing manufacturers to share data
- EU Data Protection Board probes public sector use of cloud
- France says Google Analytics breaches GDPR when it sends data to US
- Privacy Shield: EU citizens might get right to challenge US access to their data
The UK currently enjoys an "adequacy" ruling from the EU allowing data sharing between the UK and the trading bloc as long as UK law is in line with relevant EU data law. That ruling can be revisited at any time.
Neil Brown, veteran tech lawyer and boss of decoded.legal, commented: "This will be the third instance of a framework for transfers of personal data from the EU to the USA. Whether it will be as good as the third Back to the Future film, or as bad as the third Matrix film, I've no idea.
"It is hard to see how an agreement alone would survive challenge in the EU, without changes to the USA's laws on surveillance." ®
Updated to add on 3 March 2022:
An ICO spokesperson has been in touch to say: "While the Belgian Data Protection Authority's ruling does not have direct effect in the UK, the adtech sector is global and we will be considering this and other judgments as part of our ongoing work.
"We addressed IAB Europe's Transparency and Consent Framework (TCF) in our adtech and real time bidding 2019 report [PDF], noting that it was insufficient to ensure transparency, fair processing or free and informed consent. There were also concerns stemming from a lack of clarity about how compliance was monitored and a reliance on contractual controls. Subsequent iterations of the TCF and its use by publishers have not significantly addressed these issues."
It also noted that it had "recently published a Commissioner's Opinion that set outs clear data protection standards that companies must meet when developing online advertising technologies in order to safeguard people's privacy."