US ignores Europe’s threat over Privacy Shield deadline - what now?

The European Union (EU) is running out of patience with the US over its lack of enthusiasm to establish a new data and improved data transfer and protection agreement, despite it being years since the collapse of Safe Harbor. However, it doesn’t seem that the US is paying much attention to the EU’s threats.

One of the challenges with issuing threats is having to weigh up the risk of your bluff being called and whether you’re prepared to follow through on talking tough. That’s pretty much where we are now with the Privacy Shield transatlantic data transfer arrangement – and that’s got serious implications for US tech providers and their users..

Privacy Shield is the after-the-last-minute fudge put in place after the European Commission (EC) declared that the long-running Safe Harbor scheme was, well, not safe at all. Despite having had years to get their act together, both the Europeans and the American powers-that-be didn’t find enough time between grandstanding to put together a serious Safe Harbor II.

The result was a hastily-cobbled-together scheme called Privacy Shield, which was notable mostly for two things.

Firstly, no-one who was serious about data privacy, from politicos through legal experts to civil servants, ever thought it was going to be fit-for-purpose. Not from day one and nothing’s happened to make anyone change his or her mind.

Secondly, the US Government simply hasn’t bothered to meet its side of the bargain in terms of meeting the obligations laid out in the agreement. And with the Trump administration focusing its attentions on tariffs, trade wars and pulling out of international agreements, that seems unlikely to change any time soon.

Back in July, patience began to run out and the European Parliament adopted a resolution calling for the suspension of the Privacy Shield agreement unless the US administration takes urgent action to meet its obligations, with a deadline imposed of 1 September.

It’s now 4 September.

Nothing’s changed.

So where to now?

Call my bluff

In July we noted:

There’s good reason to believe that the US might just call the EU’s bluff here. The European Parliament’s resolution is non-binding. It’s up to the European Commission to take action – ie: the Eurocrat career civil servants, not the headline-seeking politicos.

While the deadline given here is September, the critical date to look out for is really October, when the second annual review of Privacy Shield is due to take place. If the Commission blinks and decides to sign the mechanism through for another year, Washington can basically keep on its current path. That’s a gamble that is likely to be felt worth a roll of the dice…

Given the current anti-EU rhetoric coming out of the White House, the chances of a threat from Brussels falling on open ears is preposterously unlikely. If anything, it’s more likely to become part of an early morning Twitter rant berating Europe as trying to stop America being made great again.

So does the EC have the nerve to pull out? I very, very much doubt it. We’ve been here before. The best we’re looking at here is some ‘look how tough we are’ posturing, a ‘must do better or else’ signing off of Privacy Shield for another year and the pulling around us all of an increasingly moth-eaten comfort blanket.

Now, 1 September was a Saturday and the US had a public holiday yesterday, so if we’re being reaaaaaaally generous, we could say that we shouldn’t write off the silence on the deadline from that direction just yet. But I’m not imagining that it’s going to be top of anyone’s mind in Washington today.

While the 1 September deadline threat has been the one that’s attracted most attention, it’s worth remembering that the EU’s data protection working party had issued an earlier threat, with its own deadline of 25 May, for the US Government to fill the position of independent Ombudsperson as required by the Privacy Shield Ts & Cs. That deadline was ignored with the same indifference that the 1 September one is likely to be.

(There had been a temporary ‘holding position’ person acting as Ombudsperson in the form of Judith Garber, but she’s now moving on to become the US Ambassador to Cyprus!)

In Europe, the Commission has yet to make any public statement, but again that’s pretty much what you’d expect – pursue the status quo and keep your head down until it’s absolutely unavoidable. From Brussels PoV, I’d imagine the prevailing thesis will be to kick any action down the road to October and the second annual review of Privacy Shield.

Others are more outspoken. Access Now, an international NGO that focuses on human rights and tech policy, is calling for the Europeans suspension threat to be followed through upon, arguing that:

The US Congress and the Executive have continuously ignored or consciously disregarded the provisions of the Privacy Shield and turned a deaf ear to the repeated calls for compliance by EU government institutions and experts. For instance, the EU Commission has repeatedly identified the functioning of the Privacy and Civil Liberties Oversight Board (PCLOB) and the Ombudsperson as a key component for the continued viability of the Privacy Shield. Yet, since 2017, the PCLOB has been lacking quorum and the position of the Ombudsperson remains vacant.

Over the summer, Access Now has followed developments in the US regarding nominations to the PCLOB and the Ombudsperson. Even if these positions were now to be filled, larger structural problems would remain..the Ombudsperson mechanism is not adequate to provide protection that is essentially equivalent to that prescribed by EU law…As negotiations with US counterparts did not lead to significant progress in the functioning of the arrangement over the past 19 months, it is high time for the EU Commission [sic] to take action to protect the rights of EU data subjects and suspend the arrangement.

Amie Stepanovich, US Policy Manager at Access Now, is downbeat about the likelihood of any change of stance by the American authorities under the current regime:

The ongoing expansion of the US surveillance apparatus and the disdain this US administration shows toward human rights globally continue to undermine the validity of the Privacy Shield and its capacity to protect privacy. These facts necessitate reflection on what more (or rather, less) the United States would have to do to vacate the Privacy Shield and how much longer the EU Commission can hold its nose to tolerate the US government’s willful dereliction of its responsibilities.

Personally my answer to that last point would be – as long as they think they can get away with it. There’s a philosophy that allows lethargy to become strategy and the Commission has plenty of past masters in this mindset.

What to do?

But with more than 4000 US companies signed up for Privacy Shield as their data transfer ‘tick box’, what happens if the Commission does screw up the nerve to follow through on its threats? More lipstick on another pig?

For European users, the drift is likely to become more-and-more towards tougher in-region data sovereignty rules, with US providers left to pick up the additional cost burden that would entail, a burden that would in turn have to be passed on to someone…

There are options, of course. Bill Mew, Cloud Strategist at UKCloud, argues:

With the risks of revocation or suspension of Privacy Shield now escalating, reliance on Privacy Shield alone is inadvisable. Firms could consider the use of the EU Standard Contractual Clauses, although these are also being challenged in the European courts, or prepare for whatever other methods are approved by the EU regulatory authorities following the Privacy Shield review. A more certain (risk-free) course of action would be to opt for complete data sovereignty (especially for personal data), for example by retaining the data in the UK and using a UK-based service provider for these workloads.

Firms that operate in the US are subject to US law, including FISA and the CLOUD Act, neither of which will easily be incorporated into the next version of Privacy Shield. While they can offer a level of data residency (offering to keep your data in the UK), the CLOUD Act eliminates protection for data stored overseas, and provides them with no legal recourse to withhold data from the NSA and other US law enforcement bodies, meaning that they cannot guarantee data sovereignty.

My take

The problem is that the two sides in this have very different attitudes to data privacy and protection. There’s very little consensus to start from, other than some self-congratulatory press releases.

I did note with interest a prediction from European think tank VoteWatch.EU, which suggests that more than half of current Members of the European Parliament (54%) support a tougher line on data protection and are likely to increase their clout in the next round of elections. In contrast, the US Government shows little interest in this direction, but considerably more in supporting increased surveillance and access to data on a global basis.

For the Europeans, it’s time to put up or shut up – and this is far too crucial an issue to take the latter option. I’ve said before that this is like the old joke – “How do I get from A to B?”. “Well you shouldn’t start from here!”. But here is where we do have to start from. The US authorities need to be made aware of the seriousness of this situation – and the tech industry needs to play its part in ramming that message home to ears that almost certainly don’t want to listen.