The EU and the US have begun talks over a possible successor to the Privacy Shield agreement that could put data sharing between the EU and the US on a legal footing.
The EU and US Department of Commerce said today that they had initiated discussions to “evaluate the potential” for an enhanced EU-US Privacy Shield that would meet the privacy requirements of EU law.
The discussions follow the European Court of Justice’s (ECJ) decision to strike down Privacy Shield for breaching EU privacy and human rights law amid concerns that US surveillance and intelligence gathering offers few rights of redress to EU citizens.
More than 5,500 businesses, including Amazon and Microsoft signed up to Privacy Shield to transfer data from the EU to the US.
The ECJ struck down Privacy Shield’s predecessor, Safe Harbour in 2015, over near identical concerns about US surveillance and the lack of privacy rights for EU citizens.
The US and the EU will need to reach a new agreement that offers EU citizens legal rights of redress in the US, if they believe their data has been used unlawfully by US law enforcement or intelligence services.
But reconciling EU privacy and human rights law with US laws which enable what the European Court of Justice has referred to as “mass and indiscriminate” surveillance against non-US Citizens will be difficult.
Legal minds are divided over whether the EU and the US will be able to find a solution that will survive future legal challenges in the European Court of Justice.
Quick agreement is possible
Eduardo Ustaran, partner at law firm Hogan Lovells said that he believed the US and EU systems of controls were not so far apart and that although a quick resolution was unlikely, it is not impossible.
“Despite the scepticism around this, I think that it is still feasible to try to make the concept work. It is clear from the European Court of Justice judgment that the two issues to address are the controls on surveillance powers and the availability effective remedies for individuals,” he said.
The ECJ raised concerns that EU citizens have no rights in the US courts if they want to challenge the collection and use of their personal data by US law enforcement and intelligence agencies.
The Snowden leaks in 2013 disclosed that US technology companies, including Facebook and Apple were obliged to share their customers private data with US government agencies under the PRISM programme.
The US also has powers under an order issued by President Obama, Executive Order 12333, to collect and retain internet traffic and data from submarine telecommunications cables before the data reaches US soil.
US Ombudsperson scheme ‘toothless’
Privacy Shield set up an ombudsperson in the US to provide EU citizens with rights of redress to privacy breaches by the US government.
But the European Court of Justice found that the ombudsperson did not offer EU citizens the right to an effective remedy in the US, as required by the European Charter of Fundamental Rights.
The court found that although the ombudsperson was said to be “independent from the intelligence community,” in practice the ombudsperson reported to the US Secretary of State.
There is nothing in the Privacy Shield decision that indicated the ombudsperson had the power to make binding decisions on the US intelligence services and the agreement offered no legal safeguards to EU citizens, it said.
“The ombudsman scheme was meant to be a mechanism for people to complain about the use of their data. It was toothless and it wasn’t transparent,” said lawyer Dai Davis, a specialist in data protection.
Any successor to Privacy Shield will also need take into account the European Court of Justice’s findings when it struck down Privacy Shield’s predecessor Safe Harbour in 2016, potentially putting pressure on the US to reform its mass surveillance programmes.
The court’s judgement referred to the findings of the Irish high Court that the US carries out indiscriminate surveillance and interception on a large scale.
“Once the personal data has been transferred to the United States, it is capable of being accessed by the NSA and other federal agencies, such as the Federal Bureau of Investigation (FBI), in the course of the indiscriminate surveillance and interception,” the court said.
Davis said that a replacement Privacy Shield at the very least, “would have to give EU individuals the right to challenge in US courts the manor and form in which the US collects data about them. The approach the US court takes would have to be akin to EU human rights law”.
But unless the US is prepared to make significant legal changes, the end result may be a “sticking plaster” agreement that will survive for another 5 years until it faces another challenge in the European Court of Justice, he said.
Pressure to act quickly
The US and the EU face strong commercial pressures to reach an agreement quickly. It took nine months to agree a successor to Safe Harbour, but the financial impact of Covid-19, combined with legal uncertainty for businesses trading with the US, may lead to greater urgency.
Businesses can no longer legally transfer data to the US under Privacy Shield and must carry out stringent privacy audits if they use alternative mechanisms, such as Standard Contractual Clauses (SCCs), or in the case of multinationals, Binding Corporate Rules (BCRs) to share data with the US.
Companies may be at risk of heavy fines under GDPR, or class actions from the public if they fail to ensure the privacy of EU citizens.
Andrew Harstone, partner with law firm Shakespeare Martineau said that he struggled to see how the EU and the US could reach a legally watertight agreement unless the US changes its practices around accessing personal data.
“As with Safe Harbour and Privacy Shield, unless there is a change it will just be a sticking plaster until struck down by the courts,” he said
“But from a business perspective, I don’t think it is practicable not to allow data transfers to the US. It is just too important a trading partner.”
Former US ambassador attacks Schrems
A long legal battle by Austrian Lawyer Max Schrems, who has complained that Facebook Ireland is unlawfully transferring his private data to the US, led to the EU court striking down Privacy Shield and its predecessor Safe Harbour.
In a sign of the disquiet felt by the US over the ECJ decision, the former US ambassador to the EU, Anthony Gardner, raised questions about how Austrian lawyer Max Schrems was funding his cases in a personal tweet
“Time for Max Schrems to make clear who has been financing his court cases. I doubt they have been all crowd funded. Funny how he doesn’t seem to care about misuse of EU citizens data by Russia or China,” he said.
Schrems said that that 90% of his legal work was funded through pro bono work and the rest was funded by 3,300 supporting members of his privacy-focused organisation Nyob.
The EU and the US said in a joint statement that they “recognise the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies”.
“We share a commitment to privacy and the rule of law, and further deepening of our economic relationship, and have collaborated on these matters for several decades.”