Pressure mounts on EU-US Privacy Shield after Facebook-Cambridge Analytica data scandal

Yet more pressure on the precariously placed EU-US Privacy Shield: The European Union parliament’s civil liberties committee has called for the data transfer arrangement to be suspended by September 1 unless the US comes into full compliance.

Though the committee has no power to suspend the arrangement itself. But has amped up the political pressure on the EU’s executive body, the European Commission.

In a vote late yesterday the Libe committee agreed the mechanism as it is currently being applied does not provide adequate protection for EU citizens’ personal information — emphasizing the need for better monitoring in light of the recent Facebook Cambridge Analytica scandal, after the company admitted in April that data on as many as 87 million users had been improperly passed to third parties in 2014 (including 2.7M EU citizens) .

Facebook is one of the now 3,000+ organizations that have signed up to Privacy Shield to make it easier for them to shift EU users’ data to the US for processing.

Although the Cambridge Analytica scandal pre-dates Privacy Shield — which was officially adopted in mid 2016, replacing the long-standing Safe Harbor arrangement (which was struck down by Europe’s top court in 2015, after a legal challenge that successfully argued that US government mass surveillance practices were undermining EU citizens’ fundamental rights).

The EU also now has an updated data protection framework — the GDPR  — which came into full force on May 25, and further tightens privacy protections around EU data.

The Libe committee says it wants US authorities to act upon privacy scandals such as Facebook Cambridge Analytica debacle without delay — and, if needed, remove companies that have misused personal data from the Privacy Shield list. MEPs also want EU authorities to investigate such cases and suspend or ban data transfers under the Privacy Shield where appropriate.

Despite a string of privacy scandals — some very recent, and a fresh FTC probe — Facebook remains on the Privacy Shield list; along with SCL Elections, an affiliate of Cambridge Analytica, which has claimed to be closing its businesses down in light of press around the scandal, yet which is apparently still certified to take people’s data out of the EU and provide it with ‘adequate protection’, per the Privacy Shield list…

MEPs on the committee also expressed concern about the recent adoption in the US of the Clarifying Lawful Overseas Use of Data Act (Cloud Act), which grants the US and foreign police access to personal data across borders — with the committee pointing out that the US law could conflict with EU data protection laws.

In a statement, civil liberties committee chair and rapporteur Claude Moraes said: “While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR.”

The Privacy Shield was negotiated by the European Commission with US counterparts as a replacement for Safe Harbor, and is intended to offer ‘essentially equivalent’ data protections for EU citizens when their data is taken to the US — a country which does not of course have essentially equivalent privacy laws. So the aim is to try to bridge the gap between two distinct legal regimes.

However the viability of that endeavor has been in doubt since the start, with critics arguing that the core legal discrepancies have not gone away — and dubbing Privacy Shield as ‘lipstick on a pig‘.

Also expressing concerns throughout the process of drafting the framework and since: The EU’s influence WP29 group (now morphed into the European Data Protection Board), made up of representatives of Member States’ data protection agencies.

Its concerns have spanned both commercial elements of the framework and law enforcement/national security considerations. We’ve reached out to the EDPB for comment and will update this report with any response.

Following the adoption of Privacy Shield, the Commission has also expressed some public concerns, though the EU’s executive body has generally followed a ‘wait and see’ approach, coupled with attempts to use the mechanism to apply political pressure on US counterparts — using the moment of the Privacy Shield’s first annual review to push for reform of US surveillance law, for example.

Reform that did not come to pass, however. Quite the opposite. Hence the arrangement being in the pressing bind it is now, with the date of the second annual review fast approaching — and zero progress for the Commission to point to try to cushion Privacy Shield from criticism.

There’s still no permanent appointment for a Privacy Shield ombudsperson, as the framework requires. Another raised concern has been over the lack of membership of the US Privacy and Civil Liberties Oversight Board — which remains moribund, with just a single member.

Threats to suspend the Privacy Shield arrangement if it’s judged to not be functioning as intended can only be credible if they are actually carried out.

Though the Commission will also want to avoid at all costs pulling the plug on a mechanism that more than 3,000 organizations are now using, and so which many businesses are relying on. So it’s most likely that it will again be left to Europe’s supreme court to strike any invalidating blow.

A Commission spokesman told us it is aware of the discussions in the European Parliament on a draft resolution on the EU- U.S. Privacy Shield. But he emphasized its approach of engaging with US counterparts to improve the arrangement.

“The Commission’s position is clear and laid out in the first annual review report. The first review showed that the Privacy Shield works well, but there is some room for improving its implementation,” he told TechCrunch.

“The Commission is working with the US administration and expects them to address the EU concerns. Commissioner Jourová was in the U.S. last time in March to engage with the U.S. government on the follow-up and discussed what the U.S. side should do until the next annual review in autumn.

“Commissioner Jourová also sent letters to US State Secretary Pompeo, Commerce Secretary Ross and Attorney General Sessions urging them to do the necessary improvements, including on the Ombudsman, as soon as possible.

“We will continue to work to keep the Privacy Shield running and ensure European’s data are well protected. Over 3000 companies are using it currently.”

While the Commission spokesman didn’t mention it, Privacy Shield is now facing several legal challenges.

Including, specifically, a series of legal questions pertaining to its adequacy which have been referred to the CJEU by Ireland’s High Court as a result of a separate privacy challenge to a different EU data transfer mechanism that’s also used by organizations to authorize data flows.

And judging by how quickly the CJEU has handled similar questions, the arrangement could have as little as  one more year’s operating grace before a decision is handed down that invalidates it.

If the Commission were to act itself the second annual review of the mechanism is due to take place in September, and indeed the Libe committee is pushing for a suspension by September 1 if there’s no progress on reforms within the US.

The EU parliament as a whole is also due to vote on the committee’s text on Privacy Shield next month, which — if they back the Libe position — would place further pressure on the EC to act. Though only a legal decision invalidating the arrangement can compel action.