Privacy Shield, the transatlantic data transfer agreement now used by more than 2,000 companies, comes up for its first annual review in September. This week, data protection authorities are already emitting warning growls.
The 2016 agreement is the replacement for the weak and muddled EU/US Safe Harbour principles that were declared inadequate by the European Court of Justice (ECJ) in October 2015.
Privacy Shield has come under plenty of criticism from the start. Despite months of negotiation (the 2014 ECJ decision overturning the EU Data Retention Directive, thanks to a challenge by Digital Rights Ireland, was early writing on the wall for Safe Harbour), deeply divided US and EU negotiating teams hammered together Privacy Shield in a flurry to (almost) meet an imposed deadline.
Even then, Privacy Shield initially was little more than verbal promises. As it took written shape, it has been criticised for reliance on letters of assurance from the US rather than strong legislation, and because its privacy-protection centrepiece, a US privacy ombudsman, is fulfilled by the US State Department equivalent of a junior minister answerable to the department that also oversees the very surveillance and intelligence agencies causing EU concern.
Lurking uncertainty about the effectiveness of Privacy Shield spurred the need for the promised review by the European Commission.
Letter to the commission
On Tuesday, the EU’s Article 29 Working Party (WP 29) – Europe’s data protection working group made up of national data protection supervisors and others – issued a statement outlining a letter it has sent to the commission.
The WP 29 has an invited role in the review process and, as its letter makes clear, it intends to spend several days in the US soon on a fact-finding mission, talking to companies, US government representatives and civil society groups.
Often shrugged off in the past for having more bark than bite, the WP 29 is now a far more influential group in the wake of those past ECJ rulings in which the justices essentially confirmed concerns the working group had stated for years. Now a weightier ethical watchdog, its contributory role in assessing Privacy Shield will make it a bellwether for indicating any serious problems.
Spoiler alert: serious problems are expected. Not least as the group pointedly states that it reserves the right to issue its own independent report, in effect if it is not happy with the commission’s report or decisions.
The WP 29 states several critical (and long-standing) areas of alarm in its letter to the commission, some already voiced in an opinion on the newly-minted Privacy Shield way back in pre-Trump era April 2016 (http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/press_release_shield_en.pdf). Post-Trump, some ill winds are blowing.
In the Tuesday statement, the group flags an intention to examine both commercial and law enforcement/security access to, and management of, EU data.
Surveillance capitalism
On the commercial side, the group raises the automated (algorithmic) handling of data and data use by "organisations acting as agents/processors". This is a vast and concerning area, as a comprehensive, must-read new report (http://crackedlabs.org/en/corporate-surveillance ) this month on so-called surveillance capitalism reveals. Just consider the report's tagline: "How thousands of companies monitor, analyse, and influence the lives of billions."
Even more sharply, the WP 29 raises questions about security and privacy, reflecting growing scepticism that the Trump administration, in action or policies, can meet Privacy Shield’s guarantees.
The WP 29 says it “has questions relating in particular to the latest developments of US law and jurisprudence in the field of privacy. The WP29 also seeks, inter alia, precise evidence to show that bulk collection, when it exists, is ‘as tailored as feasible’, limited and proportionate. In addition, the WP29 stresses the need to obtain information concerning the nomination of the four missing members of the PCLOB (Privacy and Civil Liberties Oversight Board) as well as on the appointment of the Ombudsperson and the procedures governing the Ombudsperson mechanism, as they are key elements of the oversight architecture of the Privacy Shield.”
Executive order
In short, the group is worried about Trump’s executive order stating non-US citizens lack data protection rights (even if the administration says this doesn’t impinge on Privacy Shield), the drive to give agencies more surveillance powers, including the ongoing debate over section 702 of FISA (Foreign Intelligence Surveillance Act) which regards surveillance of non-US citizens, and Trump’s failure to fill thousands of key roles across the US government, months after taking office.
With the stringent new General Data Protection Regulation (GDPR) taking effect in May of next year, privacy and data protection can no longer be viewed by EU or US organisations and government bodies as peripheral inconveniences.
That places enormous pressure on the commission to ensure the Privacy Shield review is honest and the actual agreement effective.
Unfortunately, though, the agreement needs the US as equal partner. Under Trump, with his cynical, cartoonish assaults on civil liberties and his lacklustre, confrontational approach to EU relations, achieving that seems a Sisyphean task.