Safe Harbor 2.0 (Privacy Shield) “not robust enough”, says EU data watchdog

In one of the very early episodes of HBO political satire Veep, some of the Vice President’s special advisers discuss the use of the word ‘robust’. The Vice President is due to give a speech, and in a very funny exchange, the advisers seem very pleased with themselves for coming up with a such a strong, yet inoffensive adjective. The exchange goes something like this:

‘Considered response’ is now gonna be ‘robust response’.
‘Robust?’ Damn, that's good.
Yeah, I mean, it's subtle enough to seem loyal to POTUS.
- That's gonna electrify DC.
- Oh, it's gonna AC DC.
Robust is a good word.
And you don't hear it often, like bumptious.
Yeah, it's what you want to hear in a hostage crisis.
Robust, not bumptious.
Mike, what do you think? What do you think about robust?
Robust? I like it.
It makes me think of wine.
It's actually how I like my reds.

And it seems that the European Data Protection Supervisor’s (EDPS’s) chief Giovanni Buttarelli also has a soft spot for the word. Without wanting to aggravate data sharing negotiations between the US and the European Commission too much, a ‘lack of robustness’ seems like a very EU-way to relay concerns relating to the replacement of the Safe Harbor agreement with the ‘new and improved’ Privacy Shield deal.

The Privacy Shield deal was meant to come into effect in June, stepping in for the long running Safe Harbor arrangement between the EU and US, which was shut down by the European Court of Justice at the end of last year.

In a statement released this week, EDPS’s Butteralli said:

I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court. Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms.

Moreover, it’s time to develop a longer term solution in the transatlantic dialogue.

More delays likely

Butteralli’s comments echo those of a committee of representatives from data protection authorities from across the EU, the Article 29 Working Party, which last month put forward a number of objections to the ‘new and improved’ data sharing agreement.

Privacy Shield was introduced after the Safe Harbor deal, which had been running since 2000, and allowed US firms to get data from Europe without breaking EU rules, but was scrapped following the Edward Snowden NSA mass surveillance revelations.

The European Court of Justice ruled the Safe Harbor agreement inadequate after the Irish data Protection Commission couldn’t find what data Facebook might have passed on to authorities, because it was protected by the deal.

Some of the ‘improvements’ to the previous data sharing deal, which are included under Privacy Shield, include:

• The creation of a US organisation to handle complaints from EU citizens about Americans snooping on their data (will be interesting to see this in action)
• An annual joint review by the US and the EU to check the new system is working effectively
• Additional assurances that European personal data will not be subject to mass surveillance

However, as my colleague Stuart Lauchlan noted at the time, the new agreement was arguably more about PR and calming nerves - the Emperor’s New Clothes, as it were - than finding an effective new solution. All of which puts US tech, EU tech and consumers at risk of higher costs, poorer service and a hell of a lot of ambiguity.

The Article 29 Working Party last month said:

Concerning access by public authorities to data transferred under the Privacy Shield, the Working Party regrets that the representations of the U.S. Office of the Director of National Intelligence (ODNI) do not provide sufficient details in order to exclude massive and indiscriminate collection of personal data originating from the EU. The WP29 recalls its longstanding position that massive and indiscriminate surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society, as is required under the protection offered by the applicable fundamental rights.

The EDPS today has said that it agrees and argues that for the Privacy Shield to be effective, it must provide “adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights”.

A lot of the concern also relates to the new General Data Protection Regulation (which is set to harmonise data protection laws across the EU by 2018), which hasn’t been taken into account by Privacy Shield.

Privacy Shield was meant to come into effect by June, but EDPS is urging legislators to take their time to find an “adequate, long-term solution”.

Although Butteralli’s comments and the statement from the EDPS don’t automatically mean that the Privacy Shield won’t go ahead in June, given Europe’s sensitivity over data sharing issues, it makes the whole thing a lot less likely.

My take

On the one hand, there is no point in rushing Privacy Shield through if it just means that it is going to have to be reassess in a year or two. Rather spend the time coming up with an effective solution that stands the test of time.

That being said, the EU and the US had plenty of time to come up with an alternative before Safe Harbor came to an end, and failed to do so.

I’ve got less of a hard stance on this than my colleagues do, in that I do think Europeans should have the right to know what’s happening with their data and I’m glad the the EC bureaucrats are do what they can to make that happen. However, equally, the back and forth and the lack of urgency around the whole thing could severely impact inward investment in the EU and damage smaller European firms looking to grow and scale Stateside.

Basically, let’s get something robust in place.