EU parliament calls for Privacy Shield to be pulled until US complies

The European Parliament has been making its presence felt today. As well as reopening democratic debate around a controversial digital copyright reform proposal by voting against it being fast-tracked, MEPs have adopted a resolution calling for the suspension of the EU-US Privacy Shield.

The parliamentarians’ view is that the data transfer mechanism does not provide the necessary ‘essentially equivalent’ data protection for EU citizens — and should therefore be suspended until US authorities come into compliance.

The resolution states that the parliament:

Takes the view that the current Privacy Shield arrangement does not provide the adequate level of protection required by Union data protection law and the EU Charter as interpreted by the European Court of Justice;

Considers that, unless the US is fully compliant by 1 September 2018, the Commission has failed to act in accordance with Article 45(5) GDPR; calls therefore on the Commission to suspend the Privacy Shield until the US authorities comply with its terms

The mechanism is currently used by more than 3,300 organizations to authorize transfers of personal data from the EU to the US, including the likes of Facebook, Google, Microsoft, Amazon and Twitter, to name just a few of the well-known tech names making use of the framework to authorize EU to US personal data transfers.

The EU-US Privacy Shield is not yet two years old but has always been controversial, given the mass surveillance/Snowden disclosure-related reasons for the demise of its predecessor (Safe Harbor).

Privacy Shield has looked especially precarious since the election of a US president with an openly privacy-hostile, anti-foreigner agenda. And reforms to US laws that EU lawmakers had hoped would be enacted have not come to pass.

On the contrary, US lawmakers dug in entirely on warrantless surveillance (aka Section 702 of the Foreign Intelligence Surveillance Act), giving it six more years — and offering nothing in the way of the sought for reforms.

In today’s resolution the parliament writes that it “regrets that the US did not seize the opportunity of the recent reauthorisation of FISA Section 702 to include the safeguards provided in PPD 28” — referring to an Obama era Presidential Policy Directive that backed extending privacy protections to non-US nationals (when a very different US president wrote that US signals intelligence activities “must take into account that all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and that all persons have legitimate privacy interests in the handling of their personal information”).

EU lawmakers have always wanted a more formal, robust and lasting commitment than a PPD, though, and privacy provisions for foreigners’ data being included in FISA was their preferred outcome. Safe to say, Trump has not picked up that baton.

The parliament is also calling for “evidence and legally binding commitments” to ensure that data collection under FISA Section 702 is not “indiscriminate and access is not conducted on a generalised basis (bulk collection)” — which would be in contravention of the EU’s Charter on Fundamental Rights.

Specifically it’s backing calls by the EU’s influential WP29 group, which is comprised of Member State data protection chiefs (aka what’s now known as the European Data Protection Board; EDPB) for an updated report from its rather less influential US counterpart, the Privacy and Civil Liberties Oversight Board (which still only has one active board member listed on its website; yet another bone of contention for Privacy Shield compliance) to provide definition and detail on how US intelligence agencies are actually handling ‘bulk data’.

The parliament writes that it wants the PCLOB to report on “the definition of ‘targets’, on the ‘tasking of selectors’ and on the concrete process of applying the selectors in the context of the UPSTREAM [aka the NSA’s Internet and telephone data collection program] to clarify and assess whether bulk access to personal data occurs in that context”.

The parliament is also angry that EU individuals have been excluded from additional protection provided by the reauthorisation of FISA Section 702 — saying it contains “several amendments that are merely procedural and do not address the most problematic issues” — with MEPs amping up pressure on the Commission, urging the EU’s executive body to “take the forthcoming WP29 analysis on FISA Section 702 seriously and to act accordingly”.

Privacy Shield was only officially adopted in July 2016, but EU lawmakers have been getting increasingly unhappy because core components of the framework have been left hanging by US authorities. Such as the ongoing lack of a permanent appointment to an ombudsperson role that’s intended to act as a key arbiter for any data-related complaints from EU citizens, given the data controllers in question are in the US.

The parliament also raises concerns about the executive order signed by Trump in January 2017 — aka the ‘Enhancing Public Safety’ order, which stripped away privacy protections from non-U.S. citizens — saying that while Privacy Shield did not directly rest on the US Privacy Act related to this order, the substance of the order  indicates “the intention of the US executive to reverse the data protection guarantees previously granted to EU citizens and to override the commitments made towards the EU during the Obama Presidency”.

So, as we wrote at the time, the trajectory of Trump’s administration vis-a-vis privacy and foreigners did not — and does not — bode well for smooth data flows between the two regions; aka the lifeblood of business — not just tech business.

It’s also unhappy about the recent adoption of the Clarifying Lawful Overseas Use of Data Act (aka the Cloud Act), writing that this “expands the abilities of American and foreign law enforcement to target and access people’s data across international borders without making use of the mutual legal assistance (MLAT) instruments, which provide for appropriate safeguards and respect the judicial competences of the countries where the information is located”.

“The Cloud Act could have serious implications for the EU as it is far-reaching and creates a potential conflict with the EU data protection laws,” it adds — saying a more balanced solution would have been to strengthen the existing international system of MLATs “with a view to encouraging international and judicial cooperation”.

And, well, you can’t imagine treaty-ripping Trump getting cosy with that idea.

Pressure has especially stepped up on Privacy Shield in recent months, ahead of the mechanism’s second annual review — which is due to take place in October — as the review process should, in theory, provide some leverage for the EU over its US counterparts, as the Commission can hold up the threat of suspension for compliance failures.

Although, once the EC declares the annual review has passed, the lever arguably flips the other way — and Privacy Shield seemingly gets another year’s grace, with critics fobbed off with talk of ‘improvements to be made’, as happened at the first annual review last year.

Hence why EU parliamentarians are amping up the pressure now, ahead of the review, much like  the WP29 did last year.

The Libe committee also called for a suspension last month, raising pointed concerns about the adequacies of protection around EU citizens’ data in light of the Facebook-Cambridge Analytica data misuse scandal. Europeans’ data was among the up to 87M compromised accounts related to that scandal. Though there have been many other recently emerging instances of Facebook failing to lock down user data.

The company remains an active participant in the EU-US Privacy Shield framework, although it is now under investigation by the FTC — as a consequence of the Cambridge Analytica scandal. Several other federal agencies are also reportedly examining related statements Facebook has made. So it’s facing rising heat. Even as it remains listed as an active participant in Privacy Shield for now.

Any sanction or removal from the framework depends on US authorities judging an entity to have breached its obligations under the framework — and taking action.

Notably SCL Elections — a US subsidiary of the now defunct Cambridge Analytica — is now listed as inactive (it was still active just under a month ago).

The continued presence of any entity on the Privacy Shield list that has demonstrably failed to safeguard EU citizens’ personal data must raise serious questions over how much actual protection the framework affords.

In a statement on the parliament resolution today, Libe committee chair and rapporteur Claude Moraes said: “This resolution makes clear that the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. Progress has been made to improve on the Safe Harbor agreement but this is insufficient to ensure the legal certainty required for the transfer of personal data.

“In the wake of data breaches like the Facebook and Cambridge Analytica scandal, it is more important than ever to protect our fundamental right to data protection and to ensure consumer trust. The law is clear and, as set out in the GDPR, if the agreement is not adequate, and if the US authorities fail to comply with its terms, then it must be suspended until they do.”

Suspending the mechanism entirely would certainly concentrate minds in the US administration — given the thousands of US companies signed up to rely on it simplifying their business operations.

Were that to happen, many of these companies would be left scrambling to put in place alternative legal arrangements to authorize data transfers — or even have to suspend data flows altogether, depending on their threshold for legal risk. (Remember the EU also now has a tough new data protection framework.)

However only the European Commission can suspend the Privacy Shield mechanism itself.

And the Commission continues to stand behind the framework it worked with the US to shape and negotiate. Christian Wigand, a Commission spokesperson, told us it intends to continue to work with the US administration on improving the implementation of Privacy Shield.

In a statement he said:

The Commission takes note of the European Parliament resolution on the EU- U.S. Privacy Shield. The Commission’s position is clear and laid out in the first annual review report. The first review showed that the Privacy Shield works well, but there is some room for improving its implementation.

The Commission is working with the US administration and expects them to address the EU concerns. Commissioner Jourová was in the U.S. last time in March to engage with the U.S. government on the follow-up and discussed what the U.S. side should do until the next annual review in October.

Commissioner Jourová also sent letters to US State Secretary Pompeo, Commerce Secretary Ross and Attorney General Sessions urging them to do the necessary improvements, including on the Ombudsman, as soon as possible.

We will continue to work to keep the Privacy Shield running and ensure European’s data are well protected. Around 4,000 companies are using it currently.

There’s a wild card here too though: Privacy Shield is now facing serious legal questions in Europe, having been looped into what began as a separate legal challenge to another data transfer mechanism — used by the likes of Facebook — to authorize transfers of EU users’ personal data to the US for processing.

That case recently resulted in a referral of various legal questions, including around Privacy Shield, to Europe’s top court — thereby posing what could be an existential threat to the whole arrangement. (Though Facebook is attempting to derail the referral, and has an appeal against set to be heard in Ireland’s Supreme Court later this month.)

While the Commission has a vested interest in defending and maintaining a framework it renegotiated so very recently, and which it can trumpet as as success given the number of businesses that have jumped on board, the CJEU will be looking at Privacy Shield’s adequacy protections purely from the legal perspective — and, as happened with Safe Harbor in 2015, the court could decide the mechanism is legally unsound and strike it down at the stroke of a pen.

At which point the scrambling and renegotiating would begin all over again.

In its second plenary meeting today, the EDPB notes that Privacy Shield was among the topics discussed. The group says it also met with the acting US ombudsperson responsible for handling national security complaints under the Privacy Shield, ambassador Judith Garber (who, nonetheless, is not a permanent appointee).

In a statement released after the plenary, it writes that the meeting with Garber was “interesting and collegial” but did not provide a conclusive answer to its ongoing concerns, including around the ombudsperson role; the lack of formal appointments to the PCLOB; the lack of additional information on the ombudsperson mechanism; and further declassification of the procedural rules, in particular on how the ombudsperson interacts with the intelligence services.

“These issues will remain on top of the agenda during the second annual review,” it writes. “In addition, it calls for supplementary evidence to be given by the US authorities in order to address these concerns. Finally, the EDPB notes that the same concerns will be addressed by the European Court of Justice in cases that are already pending, and to which the EDPB offers to contribute its view, if invited by the CJEU.”