What next for Privacy Shield? The EU should be worried

28 Jan 2017

Image: sefoma/Shutterstock

Donald Trump, and Barack Obama before him, have thrown as many spanners as possible into the Privacy Shield works. Nothing changes.

A pact between the EU and the US, aimed at levelling the playing field with how citizens’ data is treated in each jurisdiction, is seemingly dead.

Standing on the shoulders

With his term all but over, Barack Obama’s administration expanded the NSA’s powers, broadening the range of departments that can access personal communications intercepted in the US.

This essentially loosened the rules on how satellite transmissions, digital communications and phone calls could be monitored, and dramatically increased the number of officials that will be searching through your data, my data, everyone’s data.

This seemed like quite a blow to Privacy Shield, given the thin ice that it has rested on amid Safe Harbour’s demise and the slow, unenthusiastic efforts in the US to play ball.

Now, that blow looks a mere blip on the horizon. Donald Trump, following Obama’s lead, gave an executive order this week that ensured security agencies could discriminate against non-US citizens.

‘My opinion is that Privacy Shield is dead on arrival. It’s entirely possible the CJEU could pull the plug’

“Privacy Act,” the order reads. “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

The problem here is that Privacy Shield’s entire existence comes on the back of the realisation that, while the EU officially treats US citizens pretty much as its own when it comes to data protections on its soil, the US historically has taken the opposite approach.

Privacy Shield, combined with the EU-US Umbrella Agreement, is aimed at extending the benefits of the US Privacy Act to those in the EU and allows access to US courts for data protection issues.

The executive order recently signed reads contrary to that.

Put pen to paper

Though Privacy Shield has already commenced, the Article 29 Working Party, made up of national data protection authorities, is still reviewing it. Model Clause contracts may be providing some companies with a stop gap between Safe Harbour and Privacy Shield.

An interesting element to Trump’s move is the fact that the Swiss/US Privacy Shield was finalised only last week. It is scheduled to officially begin in April. It features one or two subtle differences to the EU version, notably its definition of ‘sensitive data’.

Though, again, Trump’s move seems to undermine the whole agreement.

“My personal opinion is that Privacy Shield is dead on arrival,” said Daragh O’Brien, MD of Castlebridge Associates and data protection advocate, even before the latest executive order from Trump’s administration.

“The underlying agreement is grounded on an array of non-legally binding assurances and undertakings. The Article 29 Working Party was less than enthusiastic about the deal, and it is scheduled to do a review later this summer. Those two factors are probably causing some organisations to hesitate adopting Shield.

Pull the plug

“The Digital Rights Ireland case, which has recently been joined by the US Government, adds further complexity to the mix, as it is entirely possible the CJEU could pull the plug on Shield before the Article 29 Working Party review is completed.”

Indeed the plug-pulling may come sooner than expected. Upon news of the US executive order, the EU came out with its own statement, which itself shows the significance of proceedings.

Claiming that EU citizens were never protected under the US Privacy Act, thus suggesting little change here, it does admit that problems may emerge.

“We will continue to monitor the implementation of both instruments (Privacy Shield and Umbrella) and are following closely any changes in the US that might have an effect on European’s (sic) data protection rights,” it said.

It is excellent timing, all of this, coming in the lead up to Data Protection Day (28 February).

Ironically, the EU Justice Commissioner, Věra Jourová, revealed plans to head for the US to meet with the Trump administration only last week, with Privacy Shield the intended topic of discussion.

Jourová wants to ensure the US government maintains a “culture of privacy” – despite years of evidence to the contrary – under the new administration.

That evidence keeps on coming.

Image: sefoma/Shutterstock

Updated, 7.10am, 30 January 2017: This article was updated to clarify that Privacy Shield has commenced.

Gordon Hunt was a journalist with Silicon Republic