19 August 2020
Will the EU and USA find a new way to permit the transatlantic commercial transfer of personal data? On 10 August talks took place between the European Commission and the US Department of Commerce "to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework" following the invalidation of the former Privacy Shield by the Court of Justice (CJEU) in the 'Schrems II' case. Observers believe that a replacement is likely, but would also be struck down by the courts without significant reforms to the US legal system.
In the 'Schrems II' judgment, concerning "the voluntary 'outsourcing' of processing of personal data to the United States," the CJEU found that the EU Privacy Shield agreement was invalid as it did not provide the required levels of data protection for individuals whose personal data was transferred from the EU to the USA.
There were two principal reasons for this - firstly, US surveillance powers. The CJEU highlighted in its press release (pdf) on the judgment that:
"...the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union... are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary."
Secondly, data subjects in the EU do not have sufficient means of redress in the USA. The CJEU press release remarks that the "Ombudsman mechanism" set out in the Privacy Shield:
"...does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services."
The 'Privacy Shield' was thus declared invalid, just as its predecessor (the 'Safe Harbor') agreement had been some years previously.
The result, as explained by None of Your Business, the organisation founded by Maxmillian Schrems, is that:
"...many companies in the EU will still have to review their outsourcing practices if they have personal data processed by US providers. Recipients of this data in the US will also need to conduct a similar review if they are subject to obligations under relevant US surveillance laws such as FISA 702."
The organisation emphasises:
"The case does not concern: (1) data that is not “personal data”; and (2) “necessary” data transfers to the United States (e.g. emails to the US, bookings in the US etc.) - in most cases these transfers benefit from a “waiver” provided in Article 49 of the GDPR.
Therefore, this case does not mean that one cannot send emails or messages from the EU to the US. Any claim that suggests this is simply incorrect." (emphasis in original)
The issue is with personal data that does not have to be transferred from the EU to the USA, but that companies choose to transfer. The German travel operators' association, for example, has called on its members to reassess the legal grounds for transferring passenger data (taken from Passenger Name Record or PNR files) to the USA.
Although the Privacy Shield may have been halted as a means for such transfers, others remain available - primarily Standard Contractual Clauses, the validity of which was left intact by the CJEU, but which will now require reassessment by companies using them.
Now the EU and USA hope to find a new agreement to overcome the court's judgment.
A joint press release published on 10 August said that the European Commission and the USA's Department of Commerce "have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the 16 July judgement of the Court of Justice of the European Union in the Schrems II case."
Without reform of the USA's state surveillance powers and redress mechanisms, however, any such agreement may prove to be as short-lived as the Privacy Shield and Safe Harbor.
An article in TechCrunch argues that:
"Turns out neither a ‘Shield’ nor a ‘Harbor’ were metaphors grand enough to paper over this fundamental clash of legal priorities, when a regional trading bloc with long standing laws that protect privacy butts up against an alien regime that rubberstamps digital intrusion on national security grounds, with zero concern for privacy.
And so we arrive at the prospect of a new, papier-mâché ‘Privacy Shield II(I)’ — which looks to be the most appropriate metaphor for this latest round of EU-US ‘negotiations’ aimed at cobbling something together to buy more time for data to keep flowing. Bottom line: Even if Commission and US negotiators ink something on paper any claimed legal protections will, without root and branch reform of US surveillance law, sum to another sham headed for a speedy demolition day in court."
In CPO Magazine, another commentator argues that:
"Given that there has been no meaningful change in privacy laws or practices on the US end, there is little reason to believe that a “Privacy Shield II” would ultimately fare any better than its two predecessors. But the US and EU may well be anticipating this; a new agreement could simply be a delaying tactic to allow business to continue for some time while a new case [that is, against a new agreement] works its way through the EU courts. Though the legal challenge to the Privacy Shield framework moved through the court system much more quickly than the Safe Harbor case did, it nevertheless took nearly four years to work its way from the initial filing to the European Court of Justice ruling."
The joint Commission/Department of Commerce press release declares that both sides "share a commitment to privacy and the rule of law". The CJEU has now decided otherwise on two separate occasions. Will next time be any different?
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: c/o MDR, 88 Fleet Street, London EC4Y 1DH, UK. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.