Indiana Jones and the EU-US Privacy Shield – Updated

Just like the Ark of the Covenant, the Holy Grail, bizarre alien crystal skull things and whatever it was they were looking for in the Temple of Doom, there is another object of great supposed power and endless fascination. Known only as the ‘EU-US Privacy Shield’ – to be wielded with the mighty Sword of Data no doubt – it is rumoured to have the ability to prevent secret intelligence-harvesting, solve personal data disputes and single-handedly rescue inter-state trade. Like a less exciting Corby trouser press. And now this amazing artefact has been uncovered, by the European Commission no less, buried at the bottom of a Brussels file marked ‘Desperate Ideas to Buy Time’.

More mundanely, the EU-US Privacy Shield is the culmination of the negotiations the Commission have managed to undertake with their US counterparts following the Schrems judgment. The Commission gave a pretty good heads-up of what was coming on 1 February, which I posted about here, and this was followed on 2 February with the formal announcement following the conclusion of the talks. Aside from the preposterous name, what then does the EU-US Privacy Shield actually achieve?

The short answer is diddly squat. Buried somewhat in the text of the press release is the information that nothing has actually been agreed or set up at all. All of the work has still to be done. The US has not yet set up its “Ombudsperson” for resolution of complaints about intelligence-gathering activities. The Commission has not yet even drafted an adequacy decision in relation to the US under Article 25(6) of the Directive, which it recognises with appropriate humility only “could” be approved. The only thing that actually appears to have happened at this point is that the US has written a nice letter promising that “that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement.” So that’s alright then.

Cynical readers could be forgiven for reading this and thinking that there does not actually seem to be any sort of replacement for Safe Harbor at all; at least not yet. They would be right. There is not. As of this moment, there is precisely no basis on which transfers of data to the USA can be any more justified than they were when the CJEU ruled in Schrems. All the press release does is try to buy some time to persuade the various national data protection authorities and the Article 29 Working Party that they shouldn’t take any action to enforce the outcome in Schrems because things are going to better soon. No data privacy yesterday; no data privacy today; possibly (but probably not) data privacy at some unspecified time in the future which will certainly not be tomorrow.

In the meantime, the alternative methods of protecting personal data which have been aired and discussed numerous times on this blog will have to be relied on. The difficulty in reaching a deal with the US is hardly surprising, and it is difficult to blame the Commission for that. The wider issues are political at their highest. But the Privacy Shield announcement doesn’t even begin to cover the cracks.

There are murmurings of proposed challenges to the Privacy Shield, which is hardly surprising given the paucity of what has been achieved, but at the moment such a challenge would be premature because there is no Shield to challenge. The real question is whether the ICO (and its European counterparts) is going to pragmatically give the Commission more time, or whether it is going to start enforcing Article 25 and the eighth data protection principle.

UPDATE:

The Article 29 Working Party has now given its view on the Privacy Shield. It has asked for the relevant documents relied on by the Commission by the end of February to reach its own assessment on the “legal bindingness” of the arrangements. The WP made clear that the US has made steps in the right direction during negotiations with it, but that there are still real concerns over the scope of the US protections and the remedies available to EU data subjects. It stressed that transfers could not take place under Safe Harbor (although it did not make clear whether the regulators will be enforcing this) but then concluded that following its assessment of the Shield after the end of February, it would also review the compatibility of Binding Corporate Rules and Standard Contract Clauses (i.e. the only tools left for US data transfer) with the protections required in EU law in the light of the lack of adequate protection currently afforded by the US. This will cause a certain amount of alarm to data controllers, who had been advised by various sources (including the Commission) to use them instead of Safe Harbor. Also alarming, but to data subjects, is the green light from the WP to continue using them for the moment. But if the WP has concerns about how much protection the BCRs and SCCs provide in the US context, why is it nonetheless approving their use in the meantime. The reality is, of course, that the invalidation of Safe Harbor has left a huge legal and enforcement mess which cannot be fixed quickly, but which if properly enforced would mean data transfers grinding to a halt with significant implications for a large number of major companies and institutions.

Christopher Knight