After Safe Harbor and Privacy Shield, third time lucky for transatlantic data flow regulation? That'd be a definite maybe...
- A data flow deal that works, at last! Or is it?
It’s taken the best part of two years, but the US and the European Union (EU) have finally come up with a replacement for the ill-fated (and ill-devised) Privacy Shield transatlantic data transfer framework. The question now is, will this latest arrangement stand up to scrutiny?
Privacy Shield was the successor to the Safe Harbor framework that was in place for many years before being shot down by the European Court of Justice (ECJ), the highest court in the EU. This had been a long time coming, but brinksmanship/indifference (delete as applicable) on both sides of the Atlantic meant that no constructive action had been taken to address legitimate concerns until it was too late.
The result was the hastily-cobbled-together (and preposterously named) Privacy Shield, which was very quickly exposed as more of a PR exercise of the ‘something must be done, this is something, this will have to do’ variety. But the lipstick soon came off the pig as even the EU’s own legislators and regulators conceded that the new arrangements weren’t for for purpose.
The end result was that in the summer of 2020, Privacy Shield followed its predecessor into the ECJ and suffered the same fate. Since then organizations looking to transfer data across the Atlantic have relied on alternative mechanisms, most notably Standard Contractual Clauses, while a long-term solution is achieved.
That finally appeared to happen at the end of last week when the US and EU announced a deal had been struck, an announcement coinciding with US President Joe Biden’s visit to Europe to discuss the Ukraine crisis. EU President Ursula von der Leyen said:
I am very pleased that we have found an agreement in principle on a new framework for transatlantic data flows. This will enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties.
But does it? At this point, it’s difficult to tell. The devil’s in the detail and at present there’s not a great deal of that around. Civil liberties activist Max Schrems, who’s been at the heart of both the fall of Safe Harbor and Privacy Shield, was pretty sceptical on Twitter when he said:
Seems we do another Privacy Shield especially in one respect: Politics over law and fundamental rights. This failed twice before. What we heard is another 'patchwork' approach but no substantial reform on the US side. Let's wait for a text but my bet is it will fail again.
So what do we know? A statement from EU Commissioner for Justice, Didier Reynders, and US Secretary of Commerce, Gina Raimondo, doesn’t get into the nuts and bolts, but hand waves in the general direction of wanting to achieve something:
The US Government and the European Commission have decided to intensify negotiations on an enhanced EU-US Privacy Shield framework to comply with the July 16, 2020 judgment of the Court of Justice of the European Union in the Schrems II case.
These negotiations underscore our shared commitment to privacy, data protection and the rule of law and our mutual recognition of the importance of transatlantic data flows to our respective citizens, economies, and societies.
Our partnership on facilitating trusted data flows will support economic recovery after the global pandemic, to the benefit of citizens and businesses on both sides of the Atlantic.
There’s more meat to be had in a briefing sheet from the White House where it suggests that Washington has blinked first over the biggest blocker to a deal - US surveillance policy. The party line now is:
The United States has committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, which will ensure the privacy of EU personal data and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.
It goes on to talk about “vital benefits to citizens on both sides of the Atlantic”, including “new, high-standard commitments regarding the protection of personal data” for EU citizens. The US says that it has committed to:
- Strengthen the privacy and civil liberties safeguards governing US signals intelligence activities.
- Establish a new redress mechanism with independent and binding authority.
- Enhance its existing rigorous and layered oversight of signals intelligence activities.
It cites exemplars of how that works in practice, including:
- Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties.
- EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the US Government who would have full authority to adjudicate claims and direct remedial measures as needed.
- US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
The White House commits that:
EU individuals will continue to have access to multiple avenues of recourse to resolve complaints about participating organizations, including through alternative dispute resolution and binding arbitration.
But it adds, in terminology that might provide some ‘wiggle room’ for the spooks, that:
These new policies will be implemented by the US intelligence community in a way to effectively protect its citizens, and those of its allies and partners, consistent with the high-standard protections offered under this Framework.
As noted, the devil’s going to be in the detail here.
An article from The Hill caught my eye a couple of days before this latest announcement, in which it was stated:
The US Supreme Court's decision this month in FBI v. Fazaga, a case challenging FBI surveillance, will make it significantly harder for people to pursue surveillance cases, and for US and European Union (EU) negotiators to secure a lasting agreement for transatlantic transfers of private data…Fazaga adds to the evidence that safeguards in the U.S. are inadequate - and showcases why they fail to satisfy the EU's privacy rules. Only Congress can put in place the privacy reforms needed to deliver a durable EU-US agreement.
The Biden administration has arguably put more effort into finding that durable solution than his predecessor’s ever did. But with the mid-terms coming up later this year and the polls not looking optimistic for the Democrats, will there be time or inclination to get this deal done properly? If all the FBI has to do to look at EU data stored in the US is to say “state secrets” to a receptive judge, Max Schrems pessimism may well be justified.
The other question here, assuming that a deal is done, is where the UK will ultimately fit in? At present, post-Brexit Britain is mirroring EU data protection legislation and regulation, but the British Government has made no secret of considering deviating from this if it thinks it’s in its own interests. That would have an immediate impact on the current holding position with Brussels. If the EU and the US are as one on this latest transatlantic deal, what would Washington’s view be on the UK not toeing the line as well?
The mainstream media headlines have hailed Friday’s announcement effectively as the end of the matter. It’s far from that. There’s a long, long way to go yet. But it is a start at least.