Europe’s Privacy Shield deadline with the US has passed and nothing happened. Are the US playing high stakes poker with the EU and if so, who’s holding all the trump cards?
There is good reason to believe that the US might call the EU’s bluff on the threats of suspension and cancellation of the Privacy Shield Framework, because the European Parliament’s resolution is non-binding. It’s up to the European Commission civil servants to continue the fight for proper data privacy between the EU and US.
While the deadline given was the 1st September 2018, the critical date to look out for is really October, when the second annual review of Privacy Shield is due to take place. If the Commission blinks and decides to sign the mechanism through for another year, Washington can basically keep on its current path.
Given the current anti-EU rhetoric coming out of the White House, the chances of a threat from Brussels falling on open ears, is also very unlikely since it is well established from the lack of action what the US authorities really think.
So, the big question… does the EC have the nerve to completely suspend the agreement? I personally doubt it.
We’ve been here before. The best we’re looking at here is some ‘look how tough we are’ posturing, a ‘must do better or else’ signing off of Privacy Shield for another year and the pulling around us all of an increasingly moth-eaten comfort blanket.
The US Congress and the Executive have continuously ignored or consciously disregarded the provisions of the Privacy Shield and turned a deaf ear to the repeated calls for compliance by EU government institutions and experts. For instance, the EU Commission has repeatedly identified the functioning of the Privacy and Civil Liberties Oversight Board (PCLOB) and the Ombudsperson, as a key component for the continued viability of the Privacy Shield. Yet, since 2017, the PCLOB has been lacking quorum and the position of the Ombudsperson remains vacant.
Furthermore, as negotiations with US counterparts did not lead to significant progress, it is high time for the EU Commission to take action to protect the rights of EU data subjects and suspend the arrangement.
The ongoing expansion of the US surveillance apparatus and the disdain this US administration shows toward human rights globally, continue to undermine the validity of the Privacy Shield and its capacity to protect privacy. These facts necessitate reflection on what more (or rather, less) the United States would have to do to vacate the Privacy Shield and how much longer the EU Commission can hold its nose to tolerate the US government’s wilful dereliction of its responsibilities.
With the risks of revocation or suspension of Privacy Shield now escalating, reliance on Privacy Shield alone is inadvisable. Firms could consider the use of the EU Standard Contractual Clauses, although these are also being challenged in the European courts, or prepare for whatever other methods are approved by the EU regulatory authorities following the Privacy Shield review. A more certain (risk-free) course of action would be to opt for complete data sovereignty (especially for personal data), for example by retaining the data in the UK and using a UK-based service provider for these workloads.
Firms that operate in the US are subject to US law, including FISA and the CLOUD Act, neither of which will easily be incorporated into the next version of Privacy Shield. While they can offer a level of data residency (offering to keep your data in the UK), the CLOUD Act eliminates protection for data stored overseas, and provides them with no legal recourse to withhold data from the NSA and other US law enforcement bodies, meaning that they cannot guarantee data sovereignty.
The problem is that the two sides in this have very different attitudes to data privacy and protection. There’s very little consensus to start from, other than some self-congratulatory press releases.
I did note with interest though that, more than half of current Members of the European Parliament (54%) support a tougher line on data protection and are likely to increase their clout in the next round of elections. In contrast, the US authorities shows little interest in this direction, but considerably more in supporting increased surveillance and access to data on a global basis.
For the Europeans, it’s time to stand up and be counted.
If the US authorities cannot abide by the agreement and recognise the genuine concerns the European’s have, the US authorities need to be made aware of the seriousness of this situation – and the tech industry needs to play its part in ramming that message home to ears that almost certainly don’t want to listen.
MIET, MBCS, Security & GDPR Specialist