EU-US Privacy Shield faces its moment of truth

While you were tucking into your ham sarnie European Commission Věra Jourová touched down in the US to start the first annual review of the EU-US Privacy Shield.

It’s the reason why the internet giants of Silicon Valley can do business in the European bloc, or at least the reason why it can be done this easily. It’s the mechanism which allows these companies to move personal information outside of the European Union. It is the only thing which maintains the privacy and data protection rights of European citizens in the US. Somehow the review of this critical enabler has snuck under the radar though.

“This review will be the moment of truth for Privacy Shield,” said Jourová. “We have put a lot of hard work into this, so now we will see if our efforts are paying off.”

But how important is EU-US Privacy Shield? In a short word, very important. It’s an all-encompassing agreement which essentially guarantees organizations will maintain the principles of European data privacy and protection laws outside of the bloc. If you moving data out of Europe and into a US data-centre, you’ll have to sign-up to this pact (or at least your public cloud provider would have to) or it’s a no-deal situation.

Considering it is such an important document for the digital economy, the foundations of the mechanism are pretty shaky. This is part of the reason for the review. The Privacy Shield’s predecessor, Safe Harbour, was allowed to run its course, ultimately meaning the protections in the US were no-longer guaranteed. In short, US spies had too much access and the European Court of Justice killed off the agreement.

“Europeans insist on having our data protected,” said Jourová (in the pink jacket, smiling menacingly, below). “I expect there will be gaps identified by the review and some proposals for improvements but I don’t expect we will reopen negotiations again.”

So what are the threats the pact is facing?

Firstly, the US government still hasn’t appointed an ombudsman to oversee Privacy Shield. This was supposed to be one of the first conditions of the pact; it is where European citizens can complain should they want to complain. Since President Trump won the election in November, the office has been empty.

This isn’t so much a threat to the pact, as a nuisance. It’s more of a public diss to the European Commission; we’ll get around to it eventually, but the adult-work needs to be done first, the US could be saying. It doesn’t encourage anyone to believe the US are taking the situation very seriously. But to be honest, Trump and his cronies don’t seem to be in a hurry with appointments anywhere. Of the 599 positions which require Senate confirmation in his government, 316 have not had a nominee yet.

Secondly, the pact is facing legal challenges in both Ireland and France. Campaigners claim the pact does not in fact adequately protect the rights of European citizens in the states. The presence of these challenges does not indicate the Privacy Shield does not work, there will always be challenges when dealing with a sensitive process like this, but it does suggest a weakness.

Combine these challenges with noise coming from other corners of the industry and you start to get concerned. European Data Protection Supervisor, Giovanni Buttarelli outlined his concerns on whether the proposed agreement will provide adequate protection against indiscriminate surveillance, believing the pact would not be strong enough to stand up. Buttarelli does not have the power to strike down the agreement, but the European Data Protection Supervisor is a pretty influential decision maker.

Article 29 Working Group is another respected group which has indicated worry over the pact. Max Schrems, who is credited with initiating the Safe Harbour downfall, also discredited the agreement. But the European Commission decided moving forward was the best course of action, perhaps accepting Privacy Shield was better than the alternative; nothing.

Ultimately, should Jourová not be able to iron out the creases in the Privacy Shield agreement, there could be some serious problems down the road. The most immediate risk would be the European Court of Justice striking down this agreement was well, leaving US firms in an odd legal limbo when it comes to Europe. But the consequences could be much more widespread.

The EU-US Privacy Shield is seen by some as a template agreement for other countries wanting to do business with the Europeans, but not having adequate data protections laws. Imagine a documents with an Insert Country line towards the top. Sign it and you agree to abide by European data protection law, and therefore you can operate in the block. If EU-US Privacy Shield does not exist, you don’t have a template for anyone else.

Japan is another area which could be a bit of collateral damage. Having agreed a free-trade agreement earlier in the summer, the European Commission was keen to sign a similar EU-Japan Privacy Shield. Part of the under-review agreement may have been used as a template, or maybe the team will just want to concentrate on one thing at a time. In any case, distractions and complications will not be appreciated.

Telecoms.com is not saying the European Court of Justice will strike down the Privacy Shield in the immediate future. We are also not stating the Privacy Shield is ineffective either. But with legal challenges and data protection experts voicing their own concerns, there is certainly a bit of smoke.