Safe Harbour 3.0?

The Privacy Shield is dead. What next after Schrems II?

If it reaches the ECJ, it will fail. This was the prediction of Max Schrems, the eminent privacy activist whose name is colloquially used to identify now two landmark ECJ cases on transatlantic data flows. The first was in 2015, when the Safe Harbour, a legal mechanism validating data transfers from the EU to the US, was struck down. On July 16th, the Privacy Shield suffered the same fate.

The Court was unequivocal in its decision: the Privacy Shield did not provide an adequate level of protection for EU citizens when their data are transferred to the US. Two aspects in particular were to blame. Firstly, US law does not contain the limitations on the use of certain surveillance powers by public authorities as required under EU law. Secondly, non-US persons lack an effective legal remedy against US public authorities when their rights might be infringed. Accordingly, the ECJ was left with little choice but to invalidate the 4-year-old legal instrument.

Such a verdict would not have been a surprise to many. Both the European Parliament and the European Data Protection Board have consistently questioned the validity of the Privacy Shield—such unease about US surveillance law has lingered ever since the Snowden revelations in 2013. So strong are these concerns that even the potential disruption to the $7.1 trillion generated by EU-US data flows was not enough to dissuade the ECJ from nullifying the controversial legal instrument.

While this upheaval may be good news for some, it is a headache for others. Thousands of organisations must now re-evaluate their data processing operations which involve transfers to the US and seek out other legal mechanisms to legitimise such activities. Standard contractual clauses (SCCs) may seem like the obvious fallback, but the stipulations by ECJ on this mechanism makes them a cumbersome choice. Many are now reading the SCCs in earnest for the first time.

An adequacy decision from the European Commission would of course make life much easier for such organisations. Some may be hoping that the politicians will relieve the burden by swiftly agreeing Safe Harbour 3.0, similar to how Schrems I led to the birth of the Privacy Shield. They are likely to be disappointed.

The respective histories of Europe and the US provide important explanations. The former, scarred by the authoritarian governments of the past, has sought to build a body of law imposing the necessary limitations and safeguards to prevent such tyranny. The latter, scarred by the events of 9/11, has sought to carry on its relentless ‘war on terror’ partly through the empowerment of its intelligence agencies. 

Consequentially, the treatment of privacy is noticeably different. For the US, it is very much a property right of which has often been secondary to matters of national security (and even the flourishing of a certain high technology hub located on the West Coast). For the EU, privacy and data protection are codified as fundamental rights guarded by supranational institutions, making them not as easily dispensable.

Still Working It Out

As such, a Safe Harbour 3.0 would be an insufficient solution to the problem highlighted twice by the ECJ. The Privacy Shield was a fudge which failed as a conduit between two fundamentally different data protection frameworks. An international instrument alone cannot resolve this. A change in US law or EU law is required before transatlantic data transfers can flow freely again.

So who will make the necessary change? The EU is highly unlikely to show any appetite for watering down its regime for the sake of US data flows: its determined crackdown on the tech giants across various domains—tax and antitrust to name a few recent examples—has shown little sign of slowing down. The prospect of a US Federal privacy legislation could be a promising fix, but it may be a while before that becomes a reality.

In the meantime, other questions remain. What is to become of the adequacy decisions for Canada and New Zealand since both are members of the Five Eyes intelligence sharing arrangement along with the US? Will the UK, another member, be deemed adequate when it leaves the EU for good at the end of this year? When are SCCs suitable for transfers to third countries and when are they are not? What kind of supplementary safeguards can be used to make up for the deficiencies in a third country’s legal framework for data protection?

In the short-term, these uncertainties, among others, will remain. The Irish Data Protection Commission has said the use of SCCs for data transfers to the US are now “questionable”, whereas the ICO has advised organisations to continue to use the Privacy Shield until further guidance has been issued. Nevertheless, for the long-term, the solution to transatlantic data flows does not lie in a Safe Harbour 3.0. The politicians will have to do more than that.