After the Court of Justice of the European Union (CJEU) ruled that the previous agreement between the U.S. and the European Union (EU) for data transfers was invalid, the European Commission was quick to come up with a new deal, called the “Privacy Shield.”
Privacy Shield Criticism
Many have criticized the Privacy Shield agreement, including Edward Snowden and Max Schrems, an Austrian lawyer who had previously started the lawsuit that led to the original Safe Harbor agreement being ruled invalid.
The primary concern was that the new Privacy Shield agreement couldn’t be valid as long as the U.S. failed to pass “essentially equivalent” privacy protections to the ones in the EU. The CJEU made it clear that if EU citizens’ data is to be transferred outside of the EU, then it should have the same privacy protections. However, little changed in American law when the Privacy Shield deal was made with the United States. This lead to the conclusion that the Privacy Shield agreement may be one lawsuit away from being declared invalid, as well.
Privacy Shield In Court
Ireland’s Data Protection Commissioner (DPC) brought new proceedings against Facebook because it thought the current mechanisms used to transfer data outside of EU do not comply with articles 7, 8, and 47 of the EU Charter of Fundamental Rights.
The Irish Court agreed with the DPC that the absence of strong privacy protections for data in the U.S. may also also lead to violations of EU citizens’ rights when the data is transferred to U.S. servers.
After reviewing evidence, the judge also concluded that it was “clear” that U.S. government agencies use the “PRISM” and “Upstream” programs, which are authorized by Presidential Executive Order 12333 and section 702 of FISA, to do “mass indiscriminate processing” of data that passes through U.S. cables.
Suspending Facebook’s Data Transfers
The Irish Court also found that the DPC may have the power to suspend data flows between the EU and the United States for any given company, including Facebook. However, it seems that the DPC doesn’t want to take on the responsibility of banning a company such as Facebook from the EU on its own, so its argument is that the existing data transfer agreements are broken and need to be reworked.
If the DPC had that power, it probably wouldn’t be too effective either, as the DPC could act only at a national level. Therefore, if Facebook was to move its headquarters to another EU country, it could once again transfer everyone’s data from that place.
We’ve already seen a similar case, when the Belgium Data Protection Authority (DPA) tried to fine Facebook, but a court ruled that it couldn’t do so because Facebook’s headquarters for the EU was in Ireland, where the DPA had no jurisdiction.
Following the Irish High Court decision, Schrems said: “I welcome the judgement by the Irish High Court. It is important that a neutral Court outside of the US has summarized the facts on US surveillance in a judgement, after diving through more than 45.000 pages of documents in a five week hearing. Facebook seems to have lost in every argument they were making.”
By October 11, the parties involved in the lawsuit will prepare their questions for the CJEU. After that, it’s expected to be about 18 months before the case will be decided by the CJEU. The last time the case reached the CJEU, it took a year and three months.
At the first annual review of the Privacy Shield, when improvements were supposed to be proposed, the European Commission patted itself on the back for the good job it did with the agreement. This is despite criticism from both the public and the group of 29 national Data Protection Authorities.
The group was expecting to see a strengthened Ombudsperson mechanism that would be effective in giving redress to EU citizens who have been illegally surveilled by the American agencies, as well as concrete assurances from the U.S. Office of the Director Of National Intelligence (ODNI).
Because of the risk that its Privacy Shield agreement may be ruled invalid, the European Commission may soon start working on some real improvements to the agreement. However, we’ll have to see how far those improvements will go and whether or not they’ll be sufficient to convince the CJEU that the Privacy Shield should stay.
As there are two partners in the deal, improving Privacy Shield will also depend on what kind of assurances and additional privacy protections the U.S. government is willing to offer (though law) to protect EU citizens’ data.
The FISA law is about to expire (by the end of the year), but many politicians in both U.S. parties as well as the current Administration seem willing to either renew it without any changes or even make it worse in terms of privacy protections. However, this would also be a good opportunity for the European Commission to suggest privacy improvements that could also protect the data transferring agreement from becoming invalid.
The data transferring deal helps both the EU and the U.S. economically (arguably it helps the U.S. more, as it’s Europeans’ data that is being taken to be processed in the U.S.), so it should be in both their interests to keep Privacy Shield alive.