Just 12 days after a review by EU and US policy makers gave it an almost completely clean bill of health, Privacy Shield caught a nasty cold in Ireland.
With latest transatlantic data sharing framework now at risk, what are the probable business implications?
Is there any way of resolving the fundamental incompatibility between US surveillance and EU privacy law?
There have been two self certified transatlantic data sharing frameworks. The initial one, Safe Harbour, was overturned last year and hurried replaced by Privacy Shield.
Each required tech companies to promise to live up to the EU’s data protection rules, in order to move data across the Atlantic from servers in the EU to others in the US.
Unfortunately, following revelations by Edward Snowden that showed the extent both of bulk data collection via the PRISM programme and of surveillance by US authorities, it became clear that there was a mismatch between the promises that companies made under Safe Harbour and reality. This led an Austrian student called Max Schrems to file a complaint with the Irish Data Protection authority, which was escalated to the EU Court of Justice which found Safe Harbour to be invalid.
Consequently, the EU and the US scrambled to come to an agreement on a second framework, called the Privacy Shield that both argued was sufficiently different to make it acceptable. It required US companies to do a better job of handling Europeans’ data, while also making sure that EU residents had redress over data protection. It also included some transparency requirements regarding US government access to the data.
Unfortunately, despite the added safeguards, unless there was drastic change in the way that organisations in the USA, such as the NSA, did surveillance, it was unclear how this activity could be compatible with EU privacy law and therefore how Privacy Shield could be valid.
This led to a continuation of the case brought by Max Schrems , in the Irish court, where Facebook, the company targeted by his appeal, had its European headquarters.
The argument made by authorities both in the EU and US that the added safeguards introduced under Privacy Shield made a significant difference were undermined by a number of actions in the US:
Firstly, Trump’s statements and actions on surveillance called into question his commitment to Privacy Shield.
In his first week in office he issued an executive order to weaken protections for data held in the US about foreign citizens. This states that: “Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
He also failed to appoint anybody to the body charged with providing EU residents with redress over data protection.
Secondly, the Department of Justice (DoJ) in the US made a series of attempts to apply extra-territorial measures in order to seize data held outside the US, calling into question their intentions for data already held in the US.
Rule 41 of the Federal Rules of Criminal Procedure was amended to authorised federal magistrate judges in the United States to issue warrants to remotely access data anywhere in the world.
The DoJ pursued Microsoft through the courts in an attempt to get it to turn over customer emails held in Ireland that related to a drug case, and is currently taking the case to an appeal in the Supreme Court.
Thirdly, courts in the US introduced a ruling that differentiated between retrieval and seizure that was incompatible with EU law.
In Philadelphia, a U.S. magistrate ruled against Google and ordered it to cooperate with FBI search warrants demanding access to user emails that are stored on servers outside of the United States. Thomas Rueter ruled that transferring emails from a foreign server so FBI agents could review them locally did not qualify as a seizure because there was “no meaningful interference” with the account holder’s “possessory interest” in the data sought.
“Though the retrieval of the electronic data by Google from its multiple data centres abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States.” The differentiation between retrieval and seizure in this ruling would mean that a US-based cloud computing firm could be ordered to retrieval information that it holds anywhere in the world and once retrieved to the US, it could be seized by US authorities.
Finally, a group called the Shadow Brokers leaked a set of hacking tools that it had stolen from the NSA’s Equation Group that used various exploits to hijack venerable Windows systems. This called into question whether the NSA, far from being more restrained in its surveillance, had actually been a great deal more active than previously assumed.
In a further complication, the NSA tools that had been leaked were then weaponised and used in the WannaCry malware attack that crippled organisations across the globe.
Recently Privacy Shield faced its first annual review by European Union Justice Commissioner Věra Jourová and U.S. Commerce Secretary Wilbur Ross. Rather than criticise the US for stalling on provisions that would prohibit secretly sharing this user data with intelligence agencies and for the weakness of its safeguard mechanisms, political expediency meant that they gave it a clean bill of health – only calling out the fact that US authorities under Donald Trump’s administration have yet to set up a permanent ombudsperson, to whom EU citizens can file complaints if they believe their rights have been violated. Indeed, Jourova went so far as to say that the EU commission would not “wait forever” for the US side to appoint someone, on a permanent basis, to the position.
This position lasted just 12 days before …. Before the SHiPS (Safe Harbour & Privacy Shield) struck the first of three new icebergs:
On October 3rd the Irish High Court Judge Caroline Costello responded to concerns raised by the Irish Data Protection Commissioner Helen Dixon in regard to the Max Screms case against Facebook. She ruled that there were: “well-founded concerns that there is an absence of an effective remedy in US law compatible with the requirements of Article 47 of the Charter (of Fundamental Rights).” As a result, she asked pushed the case up to the European Union Court of Justice (CJEU) for a ruling in the case. This is the same court that threw out Safe Harbour.
Now that the Privacy Shield has completed its first review by EU Commissioner Jourová and U.S. Commerce Secretary Ross, the Article 29 Working Party will consider any of the review’s proposed reforms and start looking seriously at Privacy Shield itself. It is unlikely to be as lenient they were.
If US surveillance don’t now change dramatically, and there is no indication that they will, then there appears no way of resolving the fundamental incompatibility between US surveillance and EU privacy law.
So even if we are able to reach a third agreement that provides even greater provisions to safeguard EU data, we would still need to counter the extraterritorial intrusion by US courts as well as the inclination of intelligence agencies to circumvent whatever laws exist anyway. It would also need to survive a further inevitable challenge from Mr Schrems.
It is therefore possibly no surprise that companies already expect Privacy Shield to fail and are preparing for a post-Privacy Shield world.
Thankfully we all have some time to do so. The courts won’t be moving that quickly and are unlikely to make a ruling with such drastic implications lightly. In the meantime, the authorities on both sides of the Atlantic will be moving as fast as they can to prepare an alternative agreement – although quite what that will be or what they will call it this time is far from clear.
This blog post originally appeared in Think Digital Partners, here.