The Privacy Shield data transfer agreement between the US and the European Union (EU) is only four months old, but faces challenges from a number of privacy groups as well as the rise of US President Donald Trump.
Privacy Shield was thrown together earlier this year following the European Court of Justice’s striking down of the EU-US Safe Harbor regime in October 2015. Privacy Shield was a last minute propsal, coming in the wake of over two years of fruitless negotiation to create an updated version of Safe Harbor.
What resulted was seized upon by US cloud vendors to assuage concerns among non-US end users about government surveillance. But from the off the Privacy Shield came under fire from privacy groups which argued that it does not adequately address concerns about US surveillance practices.
EU law allows individuals and/or companies to challenge EU acts within two months of their coming into force. Privacy advocates Digital Rights Ireland (DRI) lodged a challenge with the General Court of the European Union in October.
DRI is claiming Privacy Shield does not sufficiently protect the personal data of EU citizens.
It seeks a declaration from the court that the commission’s implementing decision of July 12th, 2016, “is a manifest error of assessment by the commission insofar as it finds an adequate level of protection in the US for personal data” concordant with the existing data-protection directive. It also seeks a declaration that the commission’s decision on Privacy Shield is “null and void” and an order for costs against the European Commission.
Monday was the deadline for interested parties to lodge their support on either side of the case. The German federal government and the Czech government filed papers lodging their support for the agreement and the European Commission, the EU’s executive branch.
DRI is not alone in its challenge. Three French organizations, privacy group La Quadrature du Net, non-profit ISP French Data Network and ISP industry association Federation, have also brought actions in the General Court. The French groups argue that the US ombudsperson, who is responsible for handling EU complaints about surveillance in the US, is not an effective mechanism for dealing with complaints and that the ombudsperson lacks sufficient independence.
Another factor that’s come into is the election of Donald Trump as President of the United States. Privacy Shield was signed up to by the Obama administration. Ted Dean, deputy assistant secretary for services at the U.S. Department of Commerce, has argued that there is a precedent set:
Bear in mind the history of the Safe Harbor program, which was negotiated under the Clinton administration, implemented under the Bush administration and continued under the Obama administration. This is the type of program that carries on across administrations.
But Trump’s stance on electronic surveillance in the war on terror and bulk data collection has raised concern that the incoming administration in the White House may be less than sympathetic to the concerns of non-US cloud users.
EU Justice Commissioner Vera Jourova said earlier this month that the European Commission would be tracking the new regime’s policies:
Over the last months, the EU-US Privacy Shield has got off to a very good start start. More than 500 companies have already been certified and more than 1750 have applied. These companies thereby committed to provide high standards of protection for personal data in the transatlantic data flows.
I can assure you that the Commission will closely monitor the respect of protection standards and the correct implementation of both the Umbrella agreement and the EU-US Privacy Shield under the new US leadership.
Meanwhile Adina-Ioana Valean, Member of the European Parliament, told the European Data Protection and Privacy Conference in Brussels that “a lot of things were said” during the U.S. presidential campaign. She warned:
We should sit and wait for the next move and then we can judge.
All of this leaves Privacy Shield looking less than robust, long term. Lawyers at White & Case LLP note:
The Privacy Shield was intended to create greater certainty for businesses that need to send personal data from the EU to the US. However, in less than three months, it has attracted two legal challenges, raising concern among the hundreds of companies that have already signed up to the new scheme, as well as those that are currently going through the application process. If either of the legal challenges succeeds, the Privacy Shield is likely to be entirely undermined. In the meantime, the status of the Privacy Shield, and confidence in the scheme, remains uncertain.
That said, more than 500 companies have signed up to the agreement, including Microsoft and Cisco.
Here at diginomica, we’ve taken a dim view of Privacy Shield from the moment it was hurriedly cobbled together to calm nerves among buyers. That said, the ongoing uncertainties around its long-term future affords no pleasure. For the sake of the cloud industry and the wider global digital economy, there needs to be a suitably robust legislative framework in place. Sadly, Privacy Shield isn’t it - and I suspect the Trump administration will provide the final proof of that in short order.