:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/VCDOYQPHPECIMGGLJQUOXCNUGE.jpg)
:quality(70)/s3.amazonaws.com/arc-authors/irishtimes/2a429887-bb72-4814-bd40-0cbf79fe8d51.png)
Another week, another pummelling of the Privacy Shield, which increasingly seems as likely to protect EU citizens' digital data as Captain America's comic book shield.
The proposed Privacy Shield agreement on data transfers between the US and the EU received another bodyblow this week as it trundles along towards seeming annihilation – if not in the European Parliament, than at the hands of the European Court of Justice (ECJ).
As expected, on Tuesday the EU's top data privacy official, European data protection supervisor Giovanni Buttarelli, indicated the Privacy Shield, the intended replacement for the old Safe Harbour data transfer principles, is not – yet – fully baked. His 16-page formal document notes that too many needed ingredients are still absent from the mix.
“I appreciate the efforts made to develop a solution to replace Safe Harbour, but Privacy Shield as it stands is not robust enough to withstand future legal scrutiny,” Buttarelli said in a statement.
“Significant improvements are needed … to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’time to develop a longer term solution [via] transatlantic dialogue.”
He’s outlined an extensive and detailed list of “need to do better” problems in his 16-page opinion, but Buttarelli in particular doesn’t like the lack of legislated-for US protections against bulk surveillance and secretive data collection in the vague name of national security, the lack of clarity in how protections will work, uncertainty about how appeals would function, or that the proposed US ombudsman would sit within the very department that also is home to US surveillance agencies.
“For the Privacy Shield to be effective it must provide adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights,” Buttarelli said.
His opinion is no surprise. Buttarelli had indicated in advance of his formal opinion that he believed it failed to meet the requirements of EU data protections or adequately address the concerns highlighted by the ECJ in its Schrems judgment, when it threw out Safe Harbour.
Privacy issues
But privacy advocates, and the few lawyers that seem to understand EU/US privacy issues, have been saying the same since the proposal was announced late last year.
Why then, was this proposed agreement (for it is not yet an agreed agreement) wheeled out last November in this raw state, as if it were nearly finished?
Did EU negotiators, or those on the US side, really believe letters of assurance from US officials would be enough to resolve concerns about secret data gathering, post-Snowden?
The more you look at it, the more the Privacy Shield looks like a wishful rough draft produced mid-negotiations but in order to meet a looming deadline while facing the real risk that data protection authorities might just halt data flows completely, to devastating business and consumer effect.
So what happens next? The commission can go away and negotiate some more. Or, it can ignore all these well-voiced concerns, around the exact same issues, from a range of individuals and organisations that have extensive knowledge in the broad area of privacy, law and policy, and leave the agreement as is.
The proposed Privacy Shield – in whatever form the commission decides – will be given a final decision probably in July, when it goes before another group of EU officials.
Disdain?
Unless it is significantly altered – primarily from the US side, as that is where the concerns really lie – it is only a matter of (short) time before a case is advanced to the ECJ. It’s likely the court would view the Privacy Shield with the same concern – or could I venture, disdain? – that it thought to bear on the late Safe Harbour.
However, such an extraordinary about-face from the US seems equally unlikely. And a looming presidential election in the US throws further uncertainty on where negotiations might go in future.
So what are businesses to do?
Unfortunately, there’s no easy answer. While many businesses – multinationals in particular – and lawyers (primarily US-based) assured companies that they could use a particular type of standard model contracts to cover the transfer issue, and the commission also indicated this to be the case, plenty of questions about their true validity have arisen since.
And, our own Data Protection Commissioner’s Office last week asked the ECJ to rule on whether such contracts satisfy data protection and privacy requirements in the absence of Safe Harbour or a replacement.
If they say no, then we are at a challenging stalemate.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/sandbox.irishtimes/GW3FWAURWFGM7FF4RMYJLBG7ZI.png)