EU-US Privacy Shield: New Name, Same Crap

This new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.

Hmmmm. That sounds pretty familiar. It sounds like:

… the “Safe Harbor Privacy Principles”… are considered to ensure an adequate level of protection for personal data transferred from the [European] Community to organisations established in the United States.

The first snippet is from European Commission (EC) press release dated 2nd February 2016. This announcement hails the agreement of a “new framework for transatlantic data flows”, now to be known as the “EU-US Privacy Shield”. The latter quote dates back to 26th July 2000, when the EC decided the USA provided a “Safe Harbor” for the personal data of EU citizens. But whether you call it a Privacy Shield, or a Safe Harbor, the truth of EU-US data protection relations is unchanged: the European Commission is desperate to pretend that US businesses will respect European data protection law, even when US federal law requires those same US businesses to break European data protection law on the grounds of national security. In other words, Europe’s top bureaucrats keep making promises that they know Americans cannot keep.

It is worth remembering that the EC and Europe’s mediocre data protection agencies kept finding fault with the Safe Harbor throughout the years it was supposedly enforced. Time and again they identified deficiencies, sometimes of a trivial nature, but always indicative of a truth they wanted to ignore: the US simply did not care about a data protection charade that was invented by European paper-pushers, to dupe ordinary European citizens. A 2002 EC working paper said that self-certified US businesses were not being sufficiently transparent about their compliance to Safe Harbor, and that some of the dispute resolution mechanisms had not committed to the Safe Harbor principles. In 2004, an EC report stated that many US businesses had failed to publish a privacy policy, even though the Safe Harbor made this mandatory. The EC also commissioned independent academic research that stated there were “numerous deficiencies in the way in which Safe Harbor has hitherto been implemented”.

By 2013, the EC noted that some data protection authorities were concerned about the vagueness of the Safe Harbor principles, and the high reliance on US businesses self-certifying and self-regulating their compliance. These concerns illustrated the weakness of the Europeans; vagueness and self-regulation were endemic to the original Safe Harbor agreement. The same EC report also observed that revelations about surveillance had raised questions about the extent to which the Safe Harbor had been enforced. But even so, there was no urgency to address these shortcomings until a private citizen, Max Schrems, finally had his day in court, leading to a 2015 decision by the Court of Justice of the EU that rendered the Safe Harbor agreement legally invalid.

In summary, Europe spent 15 years pretending that Safe Harbor ensured European citizens benefited from the extensive legal protections promised to them via European data protection law, even though any impartial objective umpire would have noticed the implausibility of expecting US businesses to police their own compliance, and the contradictions between US mass surveillance and EU privacy rights. So you might think that the new Privacy Shield will address the fundamental problems that plagued Safe Harbor. Think again.

This is the kind of nonsense routinely spouted by Věra Jourová (pictured above), the European Commissioner who is negotiating the successor to Safe Harbor. She talks about restoring trust, but delivers nothing of substance that might actually restore trust. For example, Jourová believes that:

In the context of the negotiations for this agreement, the U.S. has assured that it does not conduct mass or indiscriminate surveillance of Europeans.

Because spying on foreigners is not the sort of thing that governments might lie about, is it? And how will this assurance be validated in practice – by European spies spying on American spies? Apparently the big breakthrough is that American assurances have been written down, which makes you wonder if European bureaucrats believe everything they read.

As evidence of restored faith, Jourová points to the Judicial Redress Act, which has been passed by the US House of Representatives and awaits consideration by the US Senate. Why would this legislation help Europeans to protect their personal data? Because it would allow them to bring a civil suit against US government agencies, if they have abused their data per the terms of the USA’s 1974 Privacy Act. Because everybody knows how easy it is to sue the US government, especially if you do not live in the US. And we all know what is permitted, and what is not permitted, per the 1974 Privacy Act. And we would all find it easy to gather evidence of the US government abusing our data. Whilst we would all be conscious that we cannot sue the bits of the US government that are exempt from the 1974 Privacy Act. With that in mind, it is obvious why the Judicial Redress Act is ‘key’ to reassuring ordinary Europeans!

Other supposed advantages of the Privacy Shield are that:

  • American businesses will take orders from EU data commissioners. Which is funny, because those data commissioners are pretty ineffectual when it comes to enforcing the rules for European businesses.
  • EU data commissioners will be able to challenge violations of the Privacy Shield. Which is funny, because they never noticed any violations of the Safe Harbor, even when they were stunningly obvious to the rest of us. Max Schrems had to appeal to a higher court because the Irish Data Protection Commissioner rejected his complaint, saying there was no case to answer. Which is funny, because Schrems’ case brought down the whole of Safe Harbor, so obviously there was a case to answer.
  • The European Commission and the US Department of Commerce will carry out an annual joint review of the Privacy Shield. Which is funny, because the European Commission regularly reviewed Safe Harbor, and kept noting deficiencies, but did bugger all about them!

In summary, the European Commission is doing exactly what it did at the turn of the century, choosing to believe everything will be fine, because their bargaining position is so weak and they have little alternative but to hope for the best. The Europeans need to engage with American businesses. The Americans do not need to respect European laws. In such a situation it is not hard to determine which side will pay lip service to the demands of the other, and which side prefers to believe everything they are told.

If you run a business in the EU and you really want to comply with European data protection law – not because it is the law, but because the law expresses principles that are morally right – then I recommend you ignore the Privacy Shield and do what you are expected to do when negotiating data transfers with countless businesses outside of the USA. In other words, implement proper controls over the privacy of personal data, and back them with watertight contracts. For all other EU businesses, be conscious that you may not be able to deceive all your customers, even if you can deceive yourselves. The purpose of the Privacy Shield is to provide you with legal certainty, not to protect the privacy of your customers. If you rely on Privacy Shield, and will almost certainly free yourself from the potential legal harassment that should naturally follow the over-optimistic promises enshrined in EU data protection law. However, the shield will only protect you from Europeans, and offers no effective defense against the demands of the US government. So if you send data to the US, be conscious that the US government will consider itself free to gather and use that data as it sees fit.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.