If there was any doubt remaining, recent events on both sides of the Atlantic appear to have banged the nails into the coffin lid of the so-called Privacy Shield data transfer scheme.
Hastily cobbled together at (beyond) the last minute as a replacement for the struck-down Safe Harbor arrangement between the European Union and the United States, Privacy Shield has come under fire from all sides since it was first pitched.
While welcomed as comfort blanket of assurance by US cloud services providers, it failed to satisfy the European Commission’s own data protection working party. Meanwhile the election of Donald Trump as US President cast further doubt on the long-term viability of the scheme.
An executive order signed by Trump in January 2017 sparked immediate concern that the data of EU citizens could be excluded from US privacy regulations. The order,Enhancing Public Safety in the Interior of the United States, empowers government agencies to “ensure that their privacy policies exclude persons who are not United States citizens”.
Meanwhile the US House of Representatives and the US Senate this week voted to overturn an Obama-era rule issued last October that was designed to give consumers greater control over how internet service providers (ISPs) could share their data.
The Federal Communication Commission’s new Republican chairman Ajit Pai called the existing rules regulatory over-reach. But with the US government seemingly happy to allow it own citizens internet history information to be sold to the highest bidder, what price Europeans data?
Back in Europe, the European Parliament’s Civil Liberties, Justice, and Home Affairs Committee (LIBE Committee) earlier this month issued up a draft resolution deeming Privacy Shield to be inadequate. This is set to be debated by the European Parliament in the coming weeks.
The resolution highlights Committee reservations over the lack of specific rules on automated decision-making or the general right to object to data transfers, as well as the absence of clear guidance on how the Privacy Shield principles apply to data processors.
The Committee also criticised the voluntary and self-monitoring aspects of Privacy Shield and expressed doubts about the independence of the ombudsmen and arbitrators in the US. Revelations last October about mass email scanning at the direction of US intelligence officials led the Committee to query “the assurances of the US Director of National Intelligence in the Privacy Shield context.”
Committee Chair Claude Moraes said in a statement after the vote:
The Civil Liberties Committee resolution adopted today sends a clear message that, while the Privacy Shield contains significant improvements compared to the former EU-US Safe Harbor, key deficiencies remain to be urgently resolved. Both citizens and tech companies relying on transatlantic data flows need the certainty of a robust legal framework and our text calls on the commission to conduct a proper assessment to ensure this certainty.
For the past few days EU Justice Commissioner Vera Jourova has been in Washington, meeting with US Commerce Secretary Wilbur Ross and other Trump administration officials to get them to “reaffirm” their commitment to the scheme. She’ll also be taking part in a panel debate at the Center for Strategic and International Studies later today when she’ll deliver a keynote address.
In her talks with US officials yesterday, Jourova has maintained an upbeat tone on Twitter.
But she has been taking a firm stand with Washington officials, according to Paul Nemitz, the European Commission’s Director of Fundamental Rights and Citizenship, who told the RightsCon conference in Brussels earlier this week:
The commitments the US has taken must be respected, she [Jourova] has been very clear already on this and also publicly.
It’s not a case of ‘if’ Privacy Shield falls apart; it’s only a matter of ‘when?’. All the right soothing noises will doubtless be made in Washington, but there’s nothing in the Trump administration’s actions that provides reassurances to non-US citizens.
The internet history regulatory rollback is casually deemed a domestic matter. Maybe it is, technically, but the perception at home and abroad is a hugely negative one.
With the Department of Justice still hellbent on establishing the right to access data held on non-US located Microsoft servers, it’s clear that the turf war for what the US intelligence services want to be allowed to do is still in play.
And when the European Commission’s own data protection and civil liberties committees don’t have any faith in Privacy Shield, what’s the point in pretending much longer that this wretched buggers muddle has any mid-to-long term chance of survival?
Jourova will no doubt be told what she wants/needs to hear in Washington and everyone involved in the meetings will congratulate themselves. What would be a better use of her time would be to use these face-to-face meetings to get discussions underway on a proper replacement for Safe Harbor.
Image credit - Vera Jourova