Safe Harbour’s replacement will remain under scrutiny

As with Brexit, we are going to have to live with the Privacy Shield, the replacement for the US/EU data transfer agreement Safe Harbour. And as with Brexit, what that means in substance is anyone’s guess.

Safe Harbour was unceremoniously thrown out by the European Court of Justice in its ruling last year on the Max Schrems/Facebook case.

What we do know is that for now, like it or not, we definitely have Privacy Shield. The agreement was formally approved on Tuesday, with the European Commission stating that companies will be able to start signing up to the new system around the start of August.

"With new privacy protections in place, we are confident the framework will withstand further scrutiny," US commerce secretary Penny Pritzker said on Tuesday.

Such confidence is likely misplaced – at least as Privacy Shield currently stands. This is because it still attempts to address the key concerns of the ECJ within a very US-centric, “just trust us and our system” approach.

The ECJ eviscerated Safe Harbour primarily because the framework could not guarantee that EU data was protected from the bulk surveillance of digital data in the US revealed by leaks from whistleblower Edward Snowden.

Other ECJ concerns related to the flimsiness of Safe Harbour itself. Companies could just click a web form to self-certify, oversight was lackadaisical and prosecutions for non-compliance were more a fiction than a threat.

Over the years I’ve asked about Safe Harbour in practice, querying senior managers in multinationals, lawyers doing due diligence on potential acquisitions, and employees at start-ups, and they’ve routinely indicated that companies viewed Safe Harbour as a minor inconvenience, more box checking than anything else.

For example, at one major and high- profile multinational, a senior European manager told me that US-based managers with responsibility for sales and advertising campaigns utilising location-specific personal data were barely cognisant of European data protection legislation, and mixed data from various locations together, so that EU data was not kept and managed separately.

Another example: a US-based privacy lawyer noted that a UK-based acquisition target, a high-profile start-up, was Safe Harbour certified, but had never properly gathered subscriber data according to EU laws, nor managed that data appropriately and lawfully. As a consequence, the valuation of the start-up dropped considerably as its supposed user-base would, without doubt, be far smaller once fresh data-use permissions were sought from every single subscriber.

The only real teeth ever shown by the Safe Harbour framework came from this emerging reluctance of large companies to acquire or merge with companies that were not in compliance. Once the ECJ began to make strong, pro-data privacy rulings in recent years, acquiring companies realised poor data management was an unwanted risk and threatened shareholder value.

Will Privacy Shield do any better as a data protection mechanism?  On the plus side, it has significant improvements over Safe Harbour. Companies still self-certify, but they can’t just click and be in. They have to apply. There’s greater oversight, planned regular privacy audits, and a range of specific, cost-free mechanisms for citizens to file complaints.

But, the core problem remains that US law allows surveillance agencies to gather data and operate in opaque ways, making it well-nigh impossible to provide any certainty that EU data is handled in accordance with EU protections, whatever letters of guarantee US officials might supply.

Such ambiguity, questioned by data protection authorities in Europe, resulted in last-minute additional guarantees from the US, such as a promise that surveillance agencies would only potentially target non-specific European data, and only in special high-risk cases like concerns about planned terrorist attacks.

But really: how would anyone know? After all, many lawmakers in the US Congress and Senate remain concerned about data-gathering by these agencies on American citizens, much less Europeans.

I suspect this will remain a sticking point and one on which any (already expected) court challenge to Privacy Shield will pivot.

Meanwhile – tellingly – the influential Article 29 Working Party of European data protection authorities has withheld endorsement of Privacy Shield, and will wait until July 25th to meet and issue a formal opinion.

That said, Privacy Shield does have the important, inbuilt mechanism of a required annual review.  That means, as former US federal trade commissioner Julie Brill said on a Dublin visit on Tuesday, it is a "living agreement" and can (and likely, will) be modified. I suspect this will come from a fast-tracked ECJ referral, however, rather than that first annual review.

And with reluctance I do believe that, from a realpolitik perspective – and as a starting point, however imperfect, for businesses to operate from – it’s probably better now to have the common ground of a deeply-debated agreement to work with and adjust, than to stall catastrophically in endless stalemate.