Is Transatlantic Data Flow on the Ropes?

on the ropesEU US data transfer is on the ropes after taking a one two punch to the Privacy Shield and a kick to the model contract clauses. And all that came after Safe Harbor was KO'd last year. It came as no surprise to many who felt that Privacy Shield was only a minimal improvement on Safe Harbor. After Safe Harbor's demise, model clauses were a flawed but acceptable interim mechanism allowing data transfer to continue while the specifics of Privacy Shield were developed.

Safe Harbor, implemented in 2000, allowed data from the EU to be legally transferred to the US, by guaranteeing the data would be handled with levels of privacy protection equivalent to that required by EU privacy laws. US companies that were Safe Harbor certified were then able to receive EU data legally.

Companies desiring certification would opt to adhere to 7 principles that formed the framework of EU privacy law. The organizations would self-certify, attesting they had met the requirements. The US Government did not regulate Safe Harbor, but the FTC did manage it, and could penalize companies for violating its provisions or falsely claiming certification. 

Safe Harbor was self-regulated by its members. Self certification meant the organization took necessary measures, and then assessed itself for compliance, and then declared itself good to go. There was no oversight or testing. Over the years, reviews by the EU were extremely critical of the program, finding that many certified companies in no way came close to meeting requirements, and that hundreds more were falsely claiming certification.

So Safe Harbor was already on rocky ground before the Edward Snowden leak revealed that the US government was conducting mass surveillance and bulk data collection. Safe Harbor was not providing protection for the data of EU citizens, and it was struck down in September 2015.

The European Commission then set  a deadline of January 31, 2016 for the EU and US to come up with an alternate plan for data transfer.  In the meantime the EU would not take any legal actions, and model clauses were one of the mechanisms being used by huge corporations, with the approval of the European Commission.

As the deadline for the Safe Harbor replacement neared, things got tense. The grace period granted by the European Commission was about to end. Most companies that had been relying on Safe Harbor had simply carried on business as usual, hoping a new agreement would be reached. Without one the Commission could begin prosecution for the continuing flow of massive amounts of data to the US from the EU.

Two days past the deadline an agreement - Privacy Shield, was announced. Negotiators from both sides had come to terms, but the draft deal was in rough shape, and once details emerged, it was regarded to have most of the same insufficiencies that caused Safe Harbor to be struck down. But it was enough to buy some time, and forestall any enforcement action. Data continued to flow while EU data authorities set about examining the specifics and deciding if the new agreement was strong enough to be put before Parliament for a vote.

in April the Working Party (a group made up of the heads of the Data Protection Authorities of EU Member States) expressed serious concerns about Privacy Shield's ability to ensure a level of protection that is essentially equivalent to that in the EU. Privacy Shield they said, failed to limit “massive and indiscriminate” collection of data by US authorities. And now two more opinions have been delivered, and to little surprise, both find Privacy Shield lacking. 

First the European Parliament passed a resolution demanding that the European Commission and the US renegotiate the draft Privacy Shield. The resolution is not binding, but it indicates that the draft will not pass into law as it is written.

A few days later the European Data Protection Supervisor's published his official opinion of Privacy Shield. He states that the proposed legislation is not robust enough and does not meet EU privacy requirements. In other words, don't bother trying to get this passed into law as is.

The problems with Privacy Shield are many of the same ones that led to Safe Harbor being invalidated. The US won't budge on surveillance powers that violate European privacy standards. Also at issue is the lack of a sufficient means of redress for EU citizens who feel their data has been mishandled.

Most recently comes a legal challenge to model clauses. The sticking point remains the same - there is no effective legal remedy for EU citizens whose privacy rights have been violated by US authorities.  The Working Party has said it is examining the legality of model clauses, but approved them as a acceptable alternate transfer mechanism as they try to establish a version of Privacy Shield that will work. Now model clauses look likely to be invalidated in court.

Negotiators on both sides of the Atlantic continue scrambling to devise a solid data transfer agreement. As they work, they accept stopgap mechanisms so that more than 4,000 companies, including the likes of Facebook and Google, can continue the critical exchange of data between the EU and US. But even these temporary measures are under assault.

Increasingly, on this side of the Atlantic at least, EU privacy policies are being questioned. A former FTC Commissioner said “There are some big decisions that European legislators will have to make concerning the way they stand on data versus the rest of the world.”

And the director of the Computer & Communications Industry Association said “Europe risks drifting into data isolation...Its tools for data transfers to the world are increasingly challenged.”