The first annual review of the EU‑US Privacy Shield Framework has been completed and no one seems to be particularly surprised that the data sharing arrangement has been given a resounding thumbs-up by representatives of both parties.
For those not already aware, Privacy Shield is the arrangement which oversees the movement of data between the USA and the EU. It facilities the storage of the personal data of EU citizens on corporate servers in the USA and supposedly ensuring that all the EU standards on data protection, which far exceed those in the US, are still adhered to.
The problems with Privacy Shield
Privacy Shield came into being after its predecessor, known as Safe Harbour, was struck down by the Court of Justice of the European Union (ECJ) after Edward Snowden revealed the shocking level of intrusive surveillance data stored in the US was subject to by government bodies there.
The new arrangements have been subject to much criticism since were put into place with legal challenges being bought while as recently as two months ago, Human Rights Watch called for Privacy Shield to be scrapped because of its insufficient safeguards.
The gist of the arguments against Privacy Shield is largely that it serves as a like-for-like replacement for Safe Harbour and that there are still insufficient protections in place for the EU to be sure that their citizen’s data is safe in the USA.
EU officials have also raised questions about the slow response of US officials to make the necessary changes to bring their own standards in line those of the EU and powers granted to the US Ombudsman tasked with looking at complaints about abuses of the agreement. These powers are effectively non-existent. Then there is the US propensity for mass online surveillance which has not gone away despite some officials making claims to the contrary.
A two-day whitewash
This two-day review was the first opportunity for EU officials to scrutinise how the new arrangements were working in practice. They are under pressure from both EU officials and big tech companies to keep things going, but it was still a little surprising just how positive the joint statement released by EU justice commissioner Věra Jourová and US Secretary of Commerce Wilbur Ross was.
In it, they said, “The Privacy Shield raised the bar for transatlantic data protection by ensuring that participating companies and relevant public authorities provide a high level of data protection for EU individuals.”
They went on to say, “The United States and the European Union share an interest in the Framework’s success and remain committed to continued collaboration to ensure it functions as intended.” Despite a sideways nod to “continued improvements to the functioning of the program”, there was no reference made to the slew of issues which have previously been raised.
The future for Privacy Shield?
So, with the official review of Privacy Shield ducking the big issues in an attempt to keep things sweet between the EU and the USA, what happens to Privacy Shield now. Well, the legal challenges that have already been brought against it will continue and if things remain as they are there is no reason to think the EU Courts will not rule this agreement illegal just as they did Safe Harbour before.
But there is also the Article 29 Working Party which is scheduled to look at the legality of Privacy Shield. Last year, they said in a statement that they would give Privacy Shield a year to bed in before raising any legal objections of their own.
That year is now up and it is expected that the group will now begin to look in earnest at the agreement. Unlike the US ombudsman, they do have some teeth and if they are not satisfied with the agreement and the safeguards in place in the USA, they will not keep quiet about it.
So, despite sailing through its first annual review, the future of Privacy Shield remains highly uncertain and this is a key reason why a huge number of tech companies have still not signed up for it. If they think it is doomed to fail, why should the public thing any different?
And unless the US takes major steps to improve its own data protection and take the EU’s concerns seriously, a legislative scramble to reach a third data protection agreement between the two unions seems almost inevitable.