deepagopi2011 - Fotolia

EU and US start discussions on ‘enhanced’ Privacy Shield data-sharing agreement

Talks begin on a successor to the Privacy Shield EU-US data-sharing agreement declared unlawful in July 2020 – a decision by the European Court of Justice that left thousands of businesses facing legal uncertainty

The EU and the US have begun talks over a possible successor to the Privacy Shield agreement that could put data-sharing between the EU and the US on a legal footing.

The EU and the US Department of Commerce said today that they had initiated discussions to “evaluate the potential” for an enhanced EU-US Privacy Shield that would meet the privacy requirements of EU law.

The talks follow the European Court of Justice’s (ECJ) decision to strike down Privacy Shield for breaching EU privacy and human rights law amid concerns that US surveillance and intelligence-gathering offers few rights of redress to EU citizens.

More than 5,500 businesses, including Amazon and Microsoft, signed up to Privacy Shield to transfer data from the EU to the US.

The ECJ struck down Privacy Shield’s predecessor, Safe Harbour in 2015, over near-identical concerns about US surveillance and the lack of privacy rights for EU citizens.

The US and the EU will need to reach a new agreement that offers EU citizens legal rights of redress in the US if they believe their data has been used unlawfully by US law enforcement or intelligence services.

But reconciling EU privacy and human rights law with US laws which enable what the ECJ has referred to as “mass and indiscriminate” surveillance against non-US citizens will be difficult.

Legal minds are divided over whether the EU and the US will be able to find a solution that will survive future legal challenges in the ECJ.

Quick agreement is possible

Eduardo Ustaran, partner at law firm Hogan Lovells, said he believed the US and EU systems of controls were not so far apart and that although a quick resolution is unlikely, it is not impossible.

“Despite the scepticism around this, I think it is still feasible to try to make the concept work,” he said. “It is clear from the European Court of Justice judgment that the two issues to address are the controls on surveillance powers and the availability of effective remedies for individuals.”

The ECJ raised concerns that EU citizens have no rights in the US courts if they want to challenge the collection and use of their personal data by US law enforcement and intelligence agencies.

The Snowden leaks in 2013 disclosed that US tech companies, including Facebook and Apple, were obliged to share their customers’ private data with US government agencies under the PRISM programme.

The US also has powers under an order issued by president Reagan, Executive Order 12333, to collect and retain internet traffic and data from submarine telecommunications cables before the data reaches US soil.

US ombudsperson scheme ‘toothless’

Privacy Shield set up an ombudsperson in the US to provide EU citizens with rights of redress to privacy breaches by the US government.

But the ECJ found that the ombudsperson did not offer EU citizens the right to an effective remedy in the US, as required by the European Charter of Fundamental Rights.

The court found in a 63-page judgment that although the ombudsperson was said to be “independent from the intelligence community”, in practice the ombudsperson reported to the US secretary of state.

There is nothing in the Privacy Shield decision that indicated the ombudsperson had the power to make binding decisions on the US intelligence services and the agreement offered no legal safeguards to EU citizens, said the court.

“The ombudsman scheme was meant to be a mechanism for people to complain about the use of their data, but it was toothless and it wasn’t transparent,” said lawyer Dai Davis, a specialist in data protection.

Any successor to Privacy Shield will also need to take into account the ECJ’s findings when it struck down Safe Harbour in 2016, potentially putting pressure on the US to reform its mass surveillance programmes.

The court’s judgment referred to the findings of the Irish High Court that the US carries out indiscriminate surveillance and interception on a large scale.

“Once the personal data has been transferred to the United States, it is capable of being accessed by the NSA and other federal agencies, such as the Federal Bureau of Investigation (FBI), in the course of the indiscriminate surveillance and interception,” the court said.

Davis said a replacement for Privacy Shield, at the very least, “would have to give EU individuals the right to challenge in US courts the manner and form in which the US collects data about them. The approach the US court takes would have to be akin to EU human rights law”.

But unless the US is prepared to make significant legal changes, the end result may be a “sticking plaster” agreement that will survive for another five years until it faces another challenge in the ECJ, said Davis.

Pressure to act quickly

The US and the EU face strong commercial pressure to reach an agreement quickly. It took nine months to agree a successor to Safe Harbour, but the financial impact of Covid-19, combined with legal uncertainty for businesses trading with the US, may lead to greater urgency.

Businesses can no longer legally transfer data to the US under Privacy Shield and must carry out stringent privacy audits if they use alternative mechanisms, such as standard contractual clauses (SCCs), or in the case of multinationals, binding corporate rules (BCRs) to share data with the US.

Companies may be at risk of heavy fines under the General Data Protection Regulation (GDPR), or class actions from the public if they fail to ensure the privacy of EU citizens.

Andrew Hartshorn, a partner with law firm Shakespeare Martineau, said he struggled to see how the EU and the US could reach a legally watertight agreement unless the US changes its practices around accessing personal data. 

“As with Safe Harbour and Privacy Shield, unless there is a change, it will just be a sticking plaster until struck down by the courts,” he said.

“But from a business perspective, I don’t think it is practicable not to allow data transfers to the US. It is just too important a trading partner.”

Former US ambassador attacks Schrems

A long legal battle by Austrian lawyer Max Schrems, who has complained that Facebook Ireland is unlawfully transferring his private data to the US, led to the EU court striking down Privacy Shield and its predecessor, Safe Harbour.

In a sign of the disquiet felt by the US over the ECJ decision, Anthony Gardner, former US ambassador to the EU, raised questions about how Schrems was funding his cases in a personal tweet.

“Time for Max Schrems to make clear who has been financing his court cases,” he said. “I doubt they have all been crowdfunded. Funny how he doesn’t seem to care about misuse of EU citizens’ data by Russia or China.”

Schrems said that 90% of his legal work was funded through pro bono work and the rest was funded by 3,300 supporting members of his privacy-focused organisation Nyob.

Elephant in the room

The US may wait until after the November presidential election before finalising an agreement. A Joe Biden administration is likely to give EU citizens greater privacy rights than the Trump administration.

Awarding the US data protection adequacy agreement with the EU looks difficult for the US, and potentially the UK following the Schrems decision, but should not be impossible, said Eleonor Duhs, director in law firm Fieldfisher’s privacy and information law group.

Duhs said that, in practice, the ECJ is asking the US to meet privacy standards that do not apply to the EU’s own member states, which have exemptions for national security.

“To me, that is the elephant in the room,” she said. “You are applying a standard to a third country that the EU does not apply to itself.”

Ben Rapp, a privacy specialist and founder of consultancy Securys, said the US would need to make substantial changes to Privacy Shield and to the governance of its surveillance programmes.

Read more about the end of Privacy Shield

  • Businesses will have to conduct legal assessments to ensure they can transfer data from the EU to the US and other countries, following a European Court of Justice ruling.
  • The European Court of Justice has struck down Privacy Shield, the EU-US data-sharing agreement, creating uncertainty for European countries and pressuring the US to reform surveillance laws.
  • A ruling by the European Court of Justice will have ramifications for hundreds of thousands of companies that share data with the US.
  • The striking down of Privacy Shield has been hailed as a victory for digital rights and privacy campaign groups, but it will have consequences that go beyond transatlantic data transfers.
  • Austrian lawyer Max Schrems steps up pressure on Irish data protection commissioner to take action over Facebook’s data sharing with US.

The US would also need to make it clear what cloud computing services fall within the scope of Foreign Intelligence Surveillance Act (FISA) surveillance, and whether its scope includes commonly used services such as Salesforce and Microsoft Office 365, he said.

“If it is, then FISA has almost limitless access to data, which makes it unlikely that any Privacy Shield replacement would succeed or at least survive,” he added.

Other measures could include more visible enforcement of Privacy Shield, including prosecution of US companies that import data from the EU without being registered.

The US may also need to put in place governance to restrict bulk collection of data by the US National Security Agency to limit “warrantless fishing” expeditions, said Rapp.

The EU and the US said in a joint statement that they “recognise the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies”.

They added: “We share a commitment to privacy and the rule of law, and further deepening of our economic relationship, and have collaborated on these matters for several decades.”

Read more on Privacy and data protection

Data Center
Data Management