Security news that informs and inspires

US and EU May Try for Another Privacy Shield


The United States is trying to hammer out another data transfer agreement with the European Union after the EU Court of Justice struck down the EU-US Privacy Shield framework last month for “inadequate” privacy protections.

“The U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case,” the US Department of Commerce and the European Commission said in a joint statement.

“This means nothing.”

The EU-US Privacy Shield provided a legal framework to allow US companies to transfer EU user data to data centers located outside the EU. This way, US-based online services and cloud providers could have EU users without having to set up data centers in Europe specifically to store their data. Thousands of companies have signed up with Privacy Shield, and the Court of Justice invalidating the framework will impact how they operate in Europe.

The Court of Justice said that companies cannot provide users with lesser privacy rights by moving European users’ data to data centers outside of Europe.

Shortly after the Court of Justice ruling, the U.S. Department of Commerce had said in a statement it would continue to administer Privacy Shield, leaving companies with the understanding they can continue to rely on the framework for transferring EU user data. That isn’t the case, and businesses should not be too hopeful about the announcement meaning a replacement would be soon on the way, wrote Daragh O Brien, a managing director of governance and privacy consultancy Castlebridge.

Department of Commerce statement aside, the European Data Protection Board was very clear that the the decision invalidated Privacy Shield “without maintaining its effects,” O Brien wrote. Organizations continuing to transfer personal data to the US on the basis of Privacy Shield are taking a big risk because there is no framework in place, no grace period to shift operations, and no indicators of a replacement framework.

“This [new negotiations] means nothing,” O Brien wrote.

The core problem is that US surveillance law—which gives government agencies broad powers to intrude online—continues to be incompatible with EU privacy law—with the focus on individual privacy. U.S. government agencies have too much access to personal information stored by U.S. technology companies and other organizations. Privacy Shield didn’t have the political clout or the controls to effectively protect EU personal data the US companies held from federal intrusion.

“The European Union puts data privacy for its citizens first, ahead of Law Enforcement and State needs. The US puts National Security and Law Enforcement interests ahead of personal privacy,” said Saryu Nayyar, the CEO of Gurucul. “It's a fundamental difference in perspective, which makes it difficult for businesses to navigate the legal hurdles while simultaneously complying with conflicting regulations on a global scale.”

Privacy Shield was negotiated after the Court of Justice struck down Safe Harbor for the same reasons five years ago. Nothing changed in how the U.S. legal system treated surveillance and data privacy in the wake of the Safe Harbor ruling in 2015, so it wasn’t surprising that Privacy Shield was just as problematic.

As O Brien noted, the current discussions are not about the elements of a deal, but whether or not there could be a deal. The Court of Justice has made it clear in both rulings that any future deal must have real privacy protections. The US has made it clear in its policy decisions that its focus is on mass surveillance.

“The fundamental issues of oversight and redress that the CJEU has highlighted will need to be addressed on the US side before any deal can be finalised. That was the position in 2015, and it remains the position now,” O Brien wrote.

Striking down Privacy Shield could be seen as a "way to push for the U.S. to get onboard with surveillance reform as well as a push for business interests to do the same," said Chloé Messdaghi, vice-president of strategy at Point3 Security. The options are to change the laws or for companies to move their operations to Europe and split their systems into two parts, Messdaghi said.

“The European Union and the United States recognize the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies,” U.S. Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders said in the statement. “We share a commitment to privacy and the rule of law, and to further deepening our economic relationship, and have collaborated on these matters for several decades.”

O Brien said the US is not likely to make the changes, so the EU Commission has a choice of walking away and not have a replacement framework, or “burn huge amounts of credibility and political capital” trying to push through another deal that won’t survive court scrutiny.

Companies should stop transfers on the basis of Privacy Shield, O Brien said. There is no Privacy Shield, so transfers are unlawful. There are alternatives to Privacy Shield, such as Standard Contractual Clauses (SCCs), but they require companies to assess whether the country’s local laws provides adequate privacy protections. They are stop-gap measures at best, but compliance is still just as difficult. Instead of waiting for another agreement, companies should review suppliers and identify those who are relying on Privacy Shield, O Brien said. If the supplier has alternative methods such as the SCC, and whether they are adequate. If necessary, the suppliers should be replaced.

“We’ve been here before. Time to get things right,” O Brien wrote.

The reality is that the EU "bends backwards" to meet US demands because the US controls the technology, Messdaghi said. The US needs to take steps towards surveillance reform and preserve people's right to privacy, and any meaningful agreement would first require changes to the existing data industrial complex. Otherwise, any discussion is merely "an initiative for the sake of appearances," Messdaghi said.

The desire for a new Privacy Shield is quite understandable, and this round of negotiations may come up with a new version of Privacy Shield. Unless the US government changes how it handles data privacy (instead of leaving it in the hands of individual states), any new agreement will hit the Court of Justice again and meet the same fate as its predecessors.

“So the @SecretaryRoss and @EU_Justice are (A) working on changing US surveillance laws or (B) working on the third beating by the #CJEU?!” Max Schrems, the privacy activist that brought the case against Facebook, wrote on Twitter.