EU and US start discussions on ‘enhanced’ Privacy Shield data-sharing agreement

Quick agreement is possible

Eduardo Ustaran, partner at law firm Hogan Lovells, said he believed the US and EU systems of controls were not so far apart and that although a quick resolution is unlikely, it is not impossible.

“Despite the scepticism around this, I think it is still feasible to try to make the concept work,” he said. “It is clear from the European Court of Justice judgment that the two issues to address are the controls on surveillance powers and the availability of effective remedies for individuals.”

The ECJ raised concerns that EU citizens have no rights in the US courts if they want to challenge the collection and use of their personal data by US law enforcement and intelligence agencies.

The Snowden leaks in 2013 disclosed that US tech companies, including Facebook and Apple, were obliged to share their customers’ private data with US government agencies under the PRISM programme.

The US also has powers under an order issued by president Reagan, Executive Order 12333, to collect and retain internet traffic and data from submarine telecommunications cables before the data reaches US soil.

US ombudsperson scheme ‘toothless’

Privacy Shield set up an ombudsperson in the US to provide EU citizens with rights of redress to privacy breaches by the US government.

But the ECJ found that the ombudsperson did not offer EU citizens the right to an effective remedy in the US, as required by the European Charter of Fundamental Rights.

The court found in a 63-page judgment that although the ombudsperson was said to be “independent from the intelligence community”, in practice the ombudsperson reported to the US secretary of state.

There is nothing in the Privacy Shield decision that indicated the ombudsperson had the power to make binding decisions on the US intelligence services and the agreement offered no legal safeguards to EU citizens, said the court.

“The ombudsman scheme was meant to be a mechanism for people to complain about the use of their data, but it was toothless and it wasn’t transparent,” said lawyer Dai Davis, a specialist in data protection.

Any successor to Privacy Shield will also need to take into account the ECJ’s findings when it struck down Safe Harbour in 2016, potentially putting pressure on the US to reform its mass surveillance programmes.

The court’s judgment referred to the findings of the Irish High Court that the US carries out indiscriminate surveillance and interception on a large scale.

“Once the personal data has been transferred to the United States, it is capable of being accessed by the NSA and other federal agencies, such as the Federal Bureau of Investigation (FBI), in the course of the indiscriminate surveillance and interception,” the court said.

Davis said a replacement for Privacy Shield, at the very least, “would have to give EU individuals the right to challenge in US courts the manner and form in which the US collects data about them. The approach the US court takes would have to be akin to EU human rights law”.

But unless the US is prepared to make significant legal changes, the end result may be a “sticking plaster” agreement that will survive for another five years until it faces another challenge in the ECJ, said Davis.

Pressure to act quickly

The US and the EU face strong commercial pressure to reach an agreement quickly. It took nine months to agree a successor to Safe Harbour, but the financial impact of Covid-19, combined with legal uncertainty for businesses trading with the US, may lead to greater urgency.

Businesses can no longer legally transfer data to the US under Privacy Shield and must carry out stringent privacy audits if they use alternative mechanisms, such as standard contractual clauses (SCCs), or in the case of multinationals, binding corporate rules (BCRs) to share data with the US.

Companies may be at risk of heavy fines under the General Data Protection Regulation (GDPR), or class actions from the public if they fail to ensure the privacy of EU citizens.

Andrew Hartshorn, a partner with law firm Shakespeare Martineau, said he struggled to see how the EU and the US could reach a legally watertight agreement unless the US changes its practices around accessing personal data. 

“As with Safe Harbour and Privacy Shield, unless there is a change, it will just be a sticking plaster until struck down by the courts,” he said.

“But from a business perspective, I don’t think it is practicable not to allow data transfers to the US. It is just too important a trading partner.”

Former US ambassador attacks Schrems

A long legal battle by Austrian lawyer Max Schrems, who has complained that Facebook Ireland is unlawfully transferring his private data to the US, led to the EU court striking down Privacy Shield and its predecessor, Safe Harbour.

In a sign of the disquiet felt by the US over the ECJ decision, Anthony Gardner, former US ambassador to the EU, raised questions about how Schrems was funding his cases in a personal tweet.

“Time for Max Schrems to make clear who has been financing his court cases,” he said. “I doubt they have all been crowdfunded. Funny how he doesn’t seem to care about misuse of EU citizens’ data by Russia or China.”

Schrems said that 90% of his legal work was funded through pro bono work and the rest was funded by 3,300 supporting members of his privacy-focused organisation Nyob.

Elephant in the room

The US may wait until after the November presidential election before finalising an agreement. A Joe Biden administration is likely to give EU citizens greater privacy rights than the Trump administration.

Awarding the US data protection adequacy agreement with the EU looks difficult for the US, and potentially the UK following the Schrems decision, but should not be impossible, said Eleonor Duhs, director in law firm Fieldfisher’s privacy and information law group.

Duhs said that, in practice, the ECJ is asking the US to meet privacy standards that do not apply to the EU’s own member states, which have exemptions for national security.

“To me, that is the elephant in the room,” she said. “You are applying a standard to a third country that the EU does not apply to itself.”

Ben Rapp, a privacy specialist and founder of consultancy Securys, said the US would need to make substantial changes to Privacy Shield and to the governance of its surveillance programmes.

The US would also need to make it clear what cloud computing services fall within the scope of Foreign Intelligence Surveillance Act (FISA) surveillance, and whether its scope includes commonly used services such as Salesforce and Microsoft Office 365, he said.

“If it is, then FISA has almost limitless access to data, which makes it unlikely that any Privacy Shield replacement would succeed or at least survive,” he added.

Other measures could include more visible enforcement of Privacy Shield, including prosecution of US companies that import data from the EU without being registered.

The US may also need to put in place governance to restrict bulk collection of data by the US National Security Agency to limit “warrantless fishing” expeditions, said Rapp.

The EU and the US said in a joint statement that they “recognise the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies”.

They added: “We share a commitment to privacy and the rule of law, and further deepening of our economic relationship, and have collaborated on these matters for several decades.”