Officials from the EU and U.S. are “intensifying negotiations” on a new pact for transatlantic data transfers, trying to solve the messy issue of personal information that is transferred between the two regions.
The agreement, whenever it is reached, will replace the so-called Privacy Shield. The mechanism for legally transferring personal data between the U.S. and EU was struck down by the European Court of Justice, the EU’s top court, in July 2020.
The ruling, dubbed Schrems II, was taken by Austrian privacy activist Max Schrems, who argued that the framework did not protect Europeans from U.S. mass surveillance.
While Privacy Shield was invalidated, the court maintained the validity of standard contractual clauses, another mechanism for transferring personal data in and out of the EU.
Privacy Shield’s demise was the second time such an agreement was tossed out by a judge. Privacy Shield was introduced in 2016 as a replacement for Safe Harbour, which the court invalidated in 2015, in a case that was also taken by Schrems.
Negotiators from the European Commission, the EU’s executive arm, and the U.S. Department of Commerce are now trying to find a deal that fills that void, but questions still abound.
Schrems has challenged Facebook in the courts over data transfers and is a frequent critic of Ireland’s data watchdog over GDPR enforcement. The core of his issues with transatlantic data flows is U.S. mass surveillance. It was the undoing of Safe Harbour and the lingering issues unseated Privacy Shield as well.
As data moves from Europe to the U.S., he argued, there were few safeguards in place to ensure that a European’s data isn’t snooped on amid mass surveillance – the extent of which was evidenced by the revelations from former National Security Agency contractor Edward Snowden.
“The Privacy Shield was not the main issue, the issue is that the Privacy Shield had to yield to U.S. surveillance laws,” Schrems, who chairs the digital rights organization Noyb, told CNBC in an email.
He said this requires changes to U.S. laws like FISA 702, which allows for the surveillance of people outside of the country.
“In simple words: The U.S. cannot succeed as the globally trusted cloud provider, when foreigners have no rights to their data once it reaches a U.S. provider,” Schrems said.
“In the long run we need to agree, at least among the democratic nations, that our citizens are protected in the cyberspace independent of citizenship and location. Such a ‘no spy’ agreement is in our view the basis for continuous international data transfers, no matter if this concerns users or confidential commercial data that is sent abroad.”
Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, said that criticisms of Privacy Shield and its predecessor never took issue with data being examined for security reasons provided the process went through the correct channels and with legal protections.
But, he said, there needs to be a strong legal footing for non-U.S. citizens to check whether their data has been caught up in surveillance processes.
“The main crux is that a judge can provide someone who is outside the U.S. a legal safeguard, that they can have their rights vindicated if their rights are infringed upon,” Ryan said. “I don’t know why that’s been a point of contention, it’s obvious.”
Privacy Shield had allowed for the creation of a U.S. ombudsperson to act as a go-between for any Europeans that wished to flag their concerns. But the Donald Trump administration delayed appointing a permanent official for the role until 2019. Ultimately the appointment was short lived with Privacy Shield invalidated a year later.
Ryan said the Biden administration may prove more amenable to reaching an agreement with the European Commission that is more robust this time around. But that remains to be seen.
As negotiations trudge on, businesses have needed to consider alternatives to ensure their data flows can continue above board. Crucially, in its July 2020 ruling, the European Court of Justice upheld the validity of standard contractual clauses, another set of legal mechanisms for data transfers, which remain in effect.
ICCL’s Ryan said that transatlantic data flows are one of several privacy and security matters that the European Commission has been struggling with.
Ryan has been a vocal critic of the Europe-wide enforcement of GDPR and specifically the work of Ireland’s Data Protection Commission. He has also criticized the decision by the commission to grant a post-Brexit U.K. a preliminary data adequacy agreement – allowing data flows to continue between the two – arguing publicly that the U.K. is not eligible.
He said that these actions do not instill confidence in the type of consensus that could be reached soon and that ultimately, the courts could decide once again that the agreement is invalid and force the European Commission to act.
“The European Court of Justice does care, which is why we have the system we have,” he said. “Rare if ever is the case where the European court does not reaffirm what the law says.”