The EU-US Privacy Shield is being questioned just two years after it was agreed. How much longer can it last?
It always seemed inevitable. Earlier in July, the European Parliament adopted a resolution highlighting its perceived weaknesses of the EU-US Privacy Shield. The framework, agreed two years ago between the European Commission and the US Department of Commerce, is designed to allow companies to transfer personal data from the EU to the US. But with the Parliament’s recent verdict, this might be in jeopardy.
This would not be the first time that EU-US relations have been strained on this issue; the European Court of Justice (ECJ) in the Schrems case found the Shield’s predecessor, the ‘Safe Harbour Agreement’, contravened EU law as the US did not provide an adequate level of protection of the rights of EU citizens.
This decision, made by the Court in October 2015, came in the aftermath of the Snowden revelations which exposed the secret surveillance regime of the US and others, giving rise to concerns of many of their right to privacy and data protection. Consequently, the EU and US came together to work out a new agreement to deal with the shortcomings of the Safe Harbour.
Eventually, these negotiations culminated in the Privacy Shield. Penny Pritzker, commerce secretary of the US who led the negotiations with the EU, said that the new arrangement provided “a bridge between the two regions, acknowledging the effectiveness of both systems.”
But it was not as welcomed by others. Max Schrems, the academic who brought the legal challenge against the Safe Harbour, labelled the Shield as “the product of pressure by the US and the IT industry — not of rational or reasonable considerations.”
As such, Schrems predicted that the Shield would fail, and in its resolution the European Parliament agrees. It thus seems that it is only a matter of time before the Shield is invalidated and the US and EU are forced back into talks to work out a replacement.
If that turns out to be the case, the two may have to address some of the major concerns raised in the resolution. One of them included the need to give the ombudsperson, responsible for dealing with individual complaints, more powers. It was suggested, for example, that they should be able to request information from US intelligence agencies, as well as other authorities, and also have the ability cease unlawful surveillance activities. The EU Parliament also insisted that the difficulties for non-US citizens to challenge State surveillance due to ‘standing’ requirements be eased.
Another issue raised was in relation to the oversight provided by US authorities over those organisations certified under the framework. The EU Parliament called for a more proactive role for the authorities so as to prevent and mitigate prolonged breaches of data protection rules, like that which took place in the Cambridge Analytica case.
It is clear from recent history, however, that even addressing these concerns might not be enough. If the Shield continues in its current form, its substance is unlikely to make up for its ultimate weakness. Mere promises by US authorities to commit to certain data protection principles will never have the same weight as binding obligations, entertaining the chance that they are not adhered to or are only partially followed.
This provides little certainty for those businesses who rely on such arrangements and neither provides robust protection of rights. Plus, the alternative legal mechanisms for data flows to the US, such as the use of standard contractual clauses, may be particularly cumbersome for some (yet even this mechanism is being challenged in the courts).
Thus, in order to avoid this uncertainty and to better achieve the safeguards as proposed by the European Parliament, the formulation of an international treaty would be the best option. This would create clear binding obligations between the EU and the US and secure the valuable future of transatlantic data flows.
The obvious difficulty with this would be getting the two parties to agree to such an arrangement. The US is unlikely to commit to strict binding obligations of which it may have problems with and likewise the EU may be reluctant to give up its decision-making autonomy in relation to third country data flows. The recent furore over tariffs may not bode well for relations between the two either.
But for the US to maintain access to the EU’s market, and the EU to benefit from the services offered by the various tech companies from across the water, a data pact is perhaps the best route. Until then, prepare for more disruption and spats.