Expediency in action - Privacy Shield's annual 'love-in' in Washington and Brussels keeps up the pretense

They say love is blind - and so is expediency. Certainly the love-in between Washington and Brussels over the Privacy Shield transatlantic data transfer provisions is as naked an example of economic and political expediency as you’re likely to come across.

Regular readers - and anyone in the cloud services industry on either side of the Atlantic - will be all too aware of the background here. Privacy Shield was the hastily cobbled together replacement for the Safe Harbor framework which allowed data to be sent between the European Union and the US with a guaranteed level of privacy and security.

Then the NSA put paid to that notion, fuelling the arguments put forward by some of the more zealous European Commission representatives keen to put the US back in its box that Safe Harbor was basically unsafe. That resulted in the striking down of Safe Harbor and created the need for a solid, improved replacement - which never arrived as EC officials blustered and postured and their US counterparts largely didn’t really care.

Time ran out. Both sides panicked and cooked up a comfort blanket solution in the form of Privacy Shield, a framework so flimsy and flawed that Europe’s own data protection committees and agencies have criticised it from day one. The intervening three years have seen ongoing saber rattling from Brussels, threatening terrible , unspecified things if the US doesn’t take this more seriously, while in Washington Privacy Shield hasn’t made it to the top of any Trump agenda.

But here’s the rub - both sides need Privacy Shield. Or rather, they need to pretence of Privacy Shield, a ‘badge of honor’ that is self-regulated by services providers, in order to keep $7.1 trillion a year of trans-atlantic data flows flowing. If there isn’t Privacy Shield - or something akin to it - in place, US firms doing business with Europe have a problem. As does the European economy if those same firms have barriers put in their way of trading in a digital economy.

Review time 

In the absence of anyone sitting down and coming up with something that actually does the job better, the fudge that’s been in place for three years now is that once a year the US and the EU sit down for a ‘review’ of Privacy Shield in action, after which they go public with a love-in about how things could be better in places, but overall everything’s fine and anyway all long-term relationships need to be worked on, don’t they?

This year’s outpouring of warmth came last week when US Secretary of Commerce Wilbur Ross and EU Commissioner for Justice, Consumers, and Gender Equality Věra Jourová issued their by-now traditional and predictable statement:

Senior officials from the United States Government, the European Commission, and EU data protection authorities gathered in Washington, DC on September 12 and 13 to conduct the third annual joint review of the EU-U.S. Privacy Shield Framework. The broad and senior level participation from both sides underscored the shared and longstanding commitment of the United States and the European Union to the Framework.

The US Department of Commerce hosted the two-day review, which covered all aspects of the functioning of the Privacy Shield Framework from its administration and enforcement to broader US legal developments regarding matters related to commercial data protection and national security data access. The review benefited from input from Privacy Shield participants and civil society stakeholders.

Privacy Shield ensures that participating companies and relevant government authorities provide a high level of protection for the personal data of EU individuals. Since the Framework’s implementation on August 1, 2016, more than 5,000 companies have made public and legally enforceable pledges to protect data transferred from the EU in accordance with the Privacy Shield Principles. The rapid and continued growth of the program demonstrates Privacy Shield’s vital role in protecting personal data and contributing to the $7.1 trillion economic relationship between the United States and Europe.

The EU and US welcomed the appointment of several key US officials with Privacy Shield responsibilities. The United States Senate confirmed two additional members to the independent, bipartisan US Privacy and Civil Liberties Oversight Board , as well as Keith Krach, who in his Under Secretary role at the US Department of State serves as the Privacy Shield Ombudsperson.

Both sides also had a token ‘to do’ action point to ensure that the idea that this is all still some kind of evolving process is sold:

EU and US officials both stressed the need for strong and credible enforcement of privacy rules to protect our citizens and ensure trust in the digital economy. As provided for in the Framework, the Department of Commerce will revoke the certification of companies that do not comply with Privacy Shield’s vigorous data protection requirements. The European Commission will publish a report on the functioning of the Privacy Shield. This report will conclude this year’s review process.

And that’s that for another year, it seems. From the US side, there’s clear satisfaction that Privacy Shield is serving its purpose, as can be seen in a blog post by  James Sullivan, Deputy Assistant Secretary for Services, Industry and Analysis, The Office of Digital Services Industries (ODSI) in the International Trade Administration (ITA) at the US Department of Commerce, in which he enthuses:

Just this month, , the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield reached milestones of having more than 5,000  and more than 3,300 participating companies, respectively. A full list of Privacy Shield participants is available at www.privacyshield.gov/list. These participating organizations represent a wide variety of industry sectors and sizes, and more than 70 percent of participants are small and medium-sized businesses. All participants transfer data to the United States and have a presence there, with many US subsidiaries of European companies having also joined the Frameworks.

He adds:

An increasingly digital economy also enables even the smallest companies to participate in the global marketplace—so long as they can transfer data across national borders to facilitate trade, investment, and innovation. Moreover, by creating clear, enforceable personal data protection obligations on companies, Privacy Shield enables participating companies to better protect the privacy of their customers, promoting trust. Such trust ensures greater consumer confidence in the use of digital services and helps grow the market, creating jobs and opportunity, while providing valuable services to consumers.

Speaking out

There are still voices raised against this complacency around Privacy Shield, not least from Access Now,  is an international tech policy NGO, which has once again called for the framework to follow Safe Harbor into its demise and the onus to do this is on the European side.

While conceding that there have been “some timid efforts by the US to finally honor some of its commitments under the Privacy Shield after over two and a half years of inaction”, Access Now’s stance is that US practices and policies still undermine EU data protection law and it’s time the EC dealt with the matter properly.  Estelle Massé, Global Data Protection Lead, argues

The Privacy Shield is an ill-suited framework which does not guarantee people's rights to privacy and data protection and does not comply with EU law. By maintaining the Privacy Shield, the EU Commission weakens Europe’s data protection framework and risks undermining its global leadership role in advancing human rights.

My take

An interesting point that Access Now makes is that critics of Privacy Shield should not be lulled into a false sense of security by the increased noise levels around the possibility of a federal data protection regime akin to GDPR being adopted by the US any time soon. It’s certainly not going to happen prior to next year’s Presidential elections and after that, any changes will obviously depend on who’s tweeting from the Oval Office from 2021 onwards.

I totally endorse Access Now’s call to put Privacy Shield in the trash, but alas expediency will almost certainly win out. There’s the chance that the Court of Justice of the European Union (CJEU) may yet come up with a ruling that forces Europe’s hand, but the wheels of justice grind slowly. In any case, there will be many in Brussels who would prefer to keep on with the annual tarting up of the ‘fudge-colored’ lipstick on the privacy pig, rather than go back to the negotiating table with a US administration whose President regards the EU as group created specifically to undermine US interests. 

So for now, let's all just close our eyes and think about those trillions of dollars...