Privacy Shield 2.0 is ‘high priority’ but ‘not easy’, warns EU’s Vestager

Agreeing a new data transfer agreement with the US is a “high priority” for the EU, Margrethe Vestager, the bloc’s executive VP for digital strategy, said yesterday — but she also warned that a replacement for the defunct EU-US Privacy Shield (and Safe Harbor before that) is by no means a done deal, given the fundamental legal clash between European privacy rights and US surveillance overreach.

In recent weeks some press reports have suggested a new deal on transatlantic data transfers is immanent — potentially as soon as this month, per a Politico report from February 3.

However the mood music from commissioner Vestager suggests otherwise.

“This is a high priority endeavour to make such an agreement with the Americans,” she said during a Q&A session at a press conference on the Commission’s latest proposal around data sharing (aka the Data Act). “This is not easy, to say it really understated. Because we take the guidance of course from the court [CJEU] who ruled on the basis of the Charter of Fundamental Rights which is not something that we can or will change.

“So we need to find a way of working with the Americans that is in accordance with this — in order of course not to get a negative Schrems III judgment, if so be. But it is a priority for us in order to enable the business community to make the most of data but again to do that under safe and clear transparent conditions — and this is why we’re pushing this.”

The reason the data transfers issue came up in the context of the Data Act — which Vestager herself suggested is mostly concerned with non-personal data (whereas the Schrems’ ruling that nixed Privacy Shield and Safe Harbor concers exports of personal data out of the bloc) — is that the draft legislation proposes a sort of ‘Schrems II for non-personal data’, as data protection experts quickly dubbed it.

An explanatory memorandum prefixed to the draft Data Act proposal lists “safeguards against unlawful data transfer without notification by cloud service providers” as one of its specific objectives — explaining: “This is because concerns have been raised about non- EU/European Economic Area (EEA) governments’ unlawful access to data. Such safeguards should further enhance trust in the data processing services that increasingly underpin the European data economy.”

Article 27 of the Data Act, which deals with international access and transfer, also states:

“Providers of data processing services shall take all reasonable technical, legal and organisational measures, including contractual arrangements, in order to prevent international transfer or governmental access to non-personal data held in the Union where such transfer or access would create a conflict with Union law or the national law of the relevant Member State”

Summing up the intent, an EU source familiar with the matter told us: “We are saying that non personal data shouldn’t leave EU if it’s likely to fall into hands of foreign spooks we don’t trust” — also likening it to a “Schrems II for non-personal data”.

So for anyone fondly imagining that the regional legal uncertainty that’s been hanging over (especially) US-based cloud services, since the middle of 2020, is but a little fog that’s bound to clear, this plain-text stipulation on data transfers looks ominous.

Here in the draft text of the Data Act the Commission can be seen essentially doubling down on Schrems II — rather than seeking ways to circumvent the CJEU judgement, as it did after Schrems I by rushing to agree a Privacy Shield with such obvious legal flaws.

The European Court of Justice’s two strikes in quick succession on this issue appear to have put paid to any equally cynical attempt to paper over fundamental legal cracks.

Which in turn means that talk of service segregation/federation, and increasing data localization in the EU, feels very real — at least failing major US surveillance law reforms.

During the Data Act press conference, Vestager rejected a journalist’s suggestion that the Data Act is protectionist, asserting: “It is beneficial for companies no matter where they are from that data can flow.”

But she also made it clear that the EU’s rulebook is binding — so it is clear that without a replacement data transfer agreement between the EU and the US data will not free flow.

Even, it seems, ‘non-personal’ data. Which raises the stakes even further — and risks casting the Data Act itself as a bit of a Privacy Shield negotiating tool given that, without a robust new data transfer deal between the EU and the US — one which can survive fresh legal challenges — cloud service switching may only be easier in the future if it’s moving data from a US to an EU provider, not vice versa.

“The thing is that we of course have obligations to make sure that the way things are flowing is in accordance with data protection provisions — this is why we can do these adequacy decisions,” Vestager emphasized yesterday. “That goes beyond the Data Act. Right now our colleague Didier Reynders [justice commissioner] is chef de file [leader] of the negotiations with the US to the follow up of the judgement Schrems II.

“So the Data Act will not stand alone. We will continue this work in making adequacy decisions with third country jurisdictions where we can see that things they are as they should be.”

Also reiterating the point at the presser was internal market commissioner, Thierry Breton. “The aim with the Data Act is opening up and unblocking industrial data,” he said. “It’s important we give rules and explanations so that all companies, European or otherwise, know exactly what the rules of the game are on the single market of the EU. We give that readability.

“For the cloud services we need to make sure there are safeguards in place to protect personal data against elicit access by a third party — a foreign government say — where there is no procedural protection or international agreement that’s why we’re discussing this with our partners to set the rules.”

“It certainly does not prevent voluntary transfer of data if the company or the citizen so wishes,” he added. “It’s obvious but we need to recall it. International cooperation between judicial authorities and police authorities are obviously included in this.”

With the US, the data protection situation is definitely not where it “should be” vis-a-vis equivalence with EU law as it stands. Au contraire.

This is why, in recent months, data protection regulators around the bloc have been issuing enforcement decisions that implicate the use of mainstream US based services like Google Analytics, Google Fonts and Stripe — not out-and-out ordering a halt to the usage of such services but saying usage must be compliant with EU law (and currently isn’t), and therefore that it may be necessary to seek alternatives, given… y’know, the obvious gap there.

France’s watchdog, for example, kicked off a piece of work to evaluate alternatives to Google Analytics for website audience measurement and analytics that may be exempt from the need to obtain user consent.

European public sector bodies’ use of cloud services is also facing coordinated scrutiny via a joint enforcement action which began earlier this month — similarly zeroing in on concern over international data transfers.

Plus of course there’s a major decision still looming over Facebook’s EU-US data flows — which were Schrems’ original target, all the way back in 2013.

An order to suspend those could be coming as soon as May, according to the Irish Data Protection Commission’s (DPC) chief, Helen Dixon, in an interview with Reuters. Although she also made it clear the Irish regulator won’t be issuing widespread orders off the foot of whatever it decides on Facebook.

“The decision that the DPC will ultimately make in relation to Facebook will be specific to Facebook and addressed only to Facebook,” she said. “The consequence of the CJEU decision is that we can’t make a broader and more sweeping finding. We have to go company by company by company” — further noting there are “hundreds of thousands of entities” that would potentially have to be looked at, per the Reuters report, starting with other large internet platforms.

The DPC already issued a preliminary suspension order to Facebook soon after the CJEU Schrems II ruling, in September 2020, but the tech giant quickly obtained a stay — before going on to lose its challenge to regulatory procedure in the Irish High Court last May.

And as we reported earlier this week the DPC has now submitted a revised preliminary decision to Facebook’s parent, Meta — giving the company a month to respond.

After which the other EU data supervisors will have a chance to review and potentially object to the Irish draft decision, which could add months more to the decision-making process. But if there’s broad agreement over whatever Ireland has concluded Dixon’s line is that “the earliest time we could have a final decision could be the end of May”.

Ireland’s slow pace of enforcement on investigations into tech giants means there’s absolutely no prospect of any other near term decisions landing on the data transfers issue against companies like Google.

However, EU wide, we are seeing other regulators taking action where they have local competence — so it may be a case of ‘death by a thousands complaints’ against tools like Google Analytics, for which viable alternatives do absolutely exist (Facebook isn’t the only social network but it’s a stickier beast, owing to network effects and data portability challenges).

One burning question is whether there will be a fresh ‘Privacy Shield 2.0’ agreed by the EU and US before Ireland decides on Facebook’s data flows — assuming there’s a final decision from Ireland at the end May.

Even if there’s basic agreement between the two sides on the substance of a new deal by then that timeline looks tight — with any new draft adequacy arrangement still needing to be adopted by the Commission which would need to wait for an opinion from the European Data Protection Board (EDPB).

Last time, after Safe Harbor was invalidated in October 2015, it took around seven months between the draft Privacy Shield deal being published (February 2016) and the mechanism being adopted by the Commission — and finally going live for businesses to self certify (August 2016).

Although, notably, the Working Party 29 — aka the body made up of Member State data protection agencies’ which has since morphed into the EDPB — agreed not to cut off any transfers during the Privacy Shield hashing out period.

Meta may well be banking on a similarly generous implementation grace period for any new Privacy Shield — to allow it to keep dodging an order to suspend its EU-US data flows.

That said, it’s not clear whether the EDPB would feel it’s in its gift to do so this time around, given enforcements on the data transfers issue are already happening without the need to wait on Ireland.

Schrems’ August 2020 101 complaints, deliberately filed with agencies around the EU to counteract forum shopping, have made sure of that.

The CJEU is also of course likely to take a very dim view of any replacement adequacy agreement that repeats the mistakes of the past. And the court has shown an ability to accelerate deliberations where it perceives major risks to fundamental rights. So while Privacy Shield limped along for four years, any flawed replacement — let’s call it a ‘Privacy Umbrella’ — may have an even shorter run before being blown hopelessly inside out.

Perhaps most saliently: A third strike from the CJEU would be a massive embarrassment for the Commission — which explains Vestager’s loud, cautionary signals, to the point of explicitly stating that it does not want “a negative Schrems III judgment”.

Whether the Commission will once again willingly carry the illegal data flows of Meta et al is a particularly interesting question.

It is not the same college that went through all this last time round. Moreover, it has embarked on an ambitious tech policy agenda — of which the Data Act is just the latest puzzle piece, next to sweeping new plans to reign in tech giants’ market power, update ecommerce rules and define a framework for ‘trusted AI’, among numerous other legislative moves it wants to reshape the digital economy and European society to fire up the EU economy.

Hence it talks a big game of ‘digital sovereignty’.

Yet the EU’s appetite for finding out what digital sovereignty means in practice, at the business end of scores of disrupted data flows, could be sorely tested very soon.