Europe raises the Privacy Shield against the US, but the emperor has no clothes on

Profile picture for user slauchlan By Stuart Lauchlan February 2, 2016
Summary:
Raise your Euro-shields high and ward off the blows from US surveillance - apparently. But when the devil's in the detail, it's clear that this is a case of The Emperor's New Clothes.

emper-cvr
Thanks heaven - we’re saved!!!

At the eleventh hour, Europe and the Americans have come up with a transatlantic data privacy solution.

Even better, it's  got a really funky name as well.

Forget about harbors of questionable safety. Now we’ve got, wait for it….a Privacy Shield!

Isn’t that great? A Privacy Shield, eh?

What’s that? What’s a Privacy Shield, you ask?

Beggared if I know, but everyone’s jolly pleased about it, whatever it is.

Andrus Ansip, European Commissioner for the Digital Single Market says:

We have agreed with our US partners a new framework that will ensure the right checks and balances for our citizens.

Meanwhile Vĕra Jourová, European Commissioner for Justice, reckons that:

For the first time ever, the US has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.

And for the US, Secretary of Commerce Penny Pritzker says:

The [EU-US Privacy Shield] provides certainty that will help grow the digital economy by ensuring that thousands of European and American businesses, and millions of individuals, can continue to access services online.

So, as I say, that’s all great, isn’t it?

The king is in the altogether

But what is it?

I’ll tell you what it is. It’s smoke and mirrors. The Emperor's New Clothes.

It’s a press release that’s been rushed out to calm nerves and stave off the consequences of the ludicrous and dangerous game of brinksmanship that’s been played out by the European Commission for the past two years, during which time a proper Safe Harbor reinvention should have been taking place.

I’ll tell you what it isn’t. It isn’t a fully-formed framework. Commissioner Jourová and her colleagues have to go off now and flesh out the meat on the bones of this scrawny concept.

Nonetheless the tech industry has leapt on the morsels that have been chucked on the floor to date. Kamal Shah, SVP of products at Skyhigh Networks, is typical when he says:

We are thrilled with the news from Brussels.

Meanwhile Michael Bisignano, CA Technologies General Counsel, adds:

We commend the European Commission and the US Government for reaching an agreement that provides certainty to businesses and consumers on both sides of the Atlantic.

And while the cloud majors have still to comment formally, at least one leading figure has signalled his relief that something's  happened:

Screen Shot 2016-02-03 at 11.50.29

But others are more sceptical. Mike Weston, CEO of data science consultancy Profusion, warns:

I doubt it will be anything more than a stop-gap measure. It is also unlikely to quell disquiet in the tech community by restoring long term confidence in the trans-Atlantic flow of data. There are simply too many unknowns and roadblocks up ahead.

Meanwhile Ian McEwan, VP & General Manager of EMEA at Egnyte, adds:

While the new EU-US Privacy Shield deal comes as temporary relief, it is merely an incremental step in the right direction. The issue of privacy is still far from solved when it comes to the transatlantic handling of data. There is far too much trust being placed in government agencies and a heavy reliance on the integrity of systems that have provided unsatisfactory levels of transparency.

Smoke gets in my eyes

So is there anything there of substance today? What’s got everyone excited in Brussels is that the Americans have promised not to go peeking at European data.  Specifically they’re busting their boots that the US intelligence services say they won’t do any more of that mass surveillance stuff.

Yup - and once you’ve bought into that, come over here where I can do you a good deal on buying Buckingham Palace.

There will also be an independent Ombudsman for all European citizens. This office will be the go-to place to lodge complaints if the Americans don’t keep to their word - perish the thought! The Ombudsman will then take your complaint to the US authorities.

Other than that, this is a fig leaf of data privacy flannel that is unlikely to satisfy the European Court of Justice with its ‘in one bound we were free’,  'out-of-the-box-at-the-very-last minute' nature. And it will be eyed with suspicion by national Data Protection Authorities throughout the European Union for its fundamental lack of detail.

Civil rights activists aren't going to buy this either. Max Schrems, who brought the original Safe Harbor case to the European Court of Justice, has already begun banging on the shield!

With all due respect, but a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance.

He's absolutely correct. As I pointed out yesterday, we've no idea what stance President Trump/Cruz/Clinton/Sanders/Rubio/delete as applicable will take on this matter, other than flying the flag in an election year.

Schrems adds:

Judging from the mere headlines we know so far, I am however not sure if this system will stand the test before the Court of Justice. There will be clearly people that will challenge this – depending on the final text I may well be one of them.

This bugger's muddle of a compromise isn’t going to please the more draconian advocates of tougher data privacy regulation either, such as Viviane Reding, who agitated against the US for years on the subject when she was Vice President of the European Commission. Her reaction to the mighty shield of privacy:

Necessary, but insufficient steps.

The fight clearly goes on for Reding.

So what’s next? Well, once the excitement dies down, Ansip and Jourová have to prepare a draft "adequacy decision" over the coming weeks/months.

That then has to go before the Article 29 Working Party and will need to be paraded past representatives of the EU Member States for comment and discussion.

Then, assuming some form of consensus is achieved - which is far from guaranteed - then it might become a real thing.

Maybe.

But don't count on it.

My take

Now that businesses and governments have been thrown this comfort blanket to keep everyone calm, it’s crucial that the next steps are conducted properly and with a care and mutual determination that frankly hasn’t been the case to date.

And do it properly this time, without sabre rattling and anti-US rhetoric from various Commissioners. Even yesterday, Jourová couldn’t resist sniping:

We will of course hold the US accountable to its commitments.

Antony Walker, deputy CEO of industry lobby group techUK, sums up nicely what needs to happen now:

The European Commission and US Administration must now show total commitment to implementing this agreement and getting trans-Atlantic data flows back onto a secure and stable legal footing. Data Protection Authorities across Europe must play a constructive role in supporting this new agreement. It is essential that they allow time for this agreement to work and refrain from further regulatory action on other transfer mechanisms.

But for now, it's a comfort blanket with a lot of holes in it. Wooly thinking, but ever so comforting next to the skin.