In was has become an almost comical routine, we appear to be going around and round in circles trying to square the circle between EU privacy law and US mass surveillance.
In early October, just 12 days after the joint EU US review of Privacy Shield, the High Court in Ireland granted a request from the Irish Data Protection Commissioner (DPC) for a reference to the European Court of Justice (CJEU) for a ruling on the validity of the so-called “Model Clauses” (or “Standard Contractual Clauses”) for transfer of EU personal data to the US.
You would be excused for getting the feeling that we have been here before, probably because we have been here before. The latest decision, which could be called Schrems 2, is effectively a sequel to an earlier decision, Schrems 1, and is based on the same underlying facts and issues.
At the heart of the matter is the inherent inability to square the circle between EU privacy law and US mass surveillance. The EU is unwilling to compromise on the privacy of its citizens, seen as a fundamental human right in Europe. Meanwhile, the US is unwilling to compromise on the mass surveillance that it sees as essential for its security.
In Shrems 1 in 2015, Austrian law student, Max Schrems, successfully brought a case to the CJEU that resulted in Safe Harbour – an initial agreement that allowed the transfer of EU citizens’ data to the US – being declared invalid.
Panic ensued and rather than address the inherent incompatibility between EU privacy law and US mass surveillance, a replacement to Safe Harbour was hurriedly cobbled together – this time called Privacy Shield. Since then, transfers outside the EU have largely been conducted based on previously approved ‘model clauses’.
In Shrems 2 this year, Mr Schrems brought a further case to the Irish High Court questioning the adequacy of model clauses and the court has been given approval to ask the CJEU whether transfers based on them are adequately protected.
Panic this time has been postponed, as the case will take between 18 and 24 months to reach the ECJ, but questions are already beginning to be asked about where we go next. Shrems 2 has set in motion a potentially drastic shake-up of the existing order for export of EU personal data, which could ultimately have far broader consequences than Schrems 1.
You might also like
At the same time, the EU has published a report following the joint review of Privacy Shield. In this report, it issues a set of recommendations for the US government to ensure that the US continues to uphold its obligations under Privacy Shield:
- Congress should take the reauthorization process for the FISA Amendments Act of 2008 this year as an opportunity to make into law PPD-28’s protections for the personal data of non-U.S. persons. The commission explained that enshrining the PPD-28 protections in statute would ensure their continuity.
- The Trump administration should nominate a permanent ombudsperson.
- The administration should complete the nominations of the chairman and remaining members of the Privacy and Civil Liberties Oversight Board (PCLOB). These appointments will allow the PCLOB to address new matters and expand current efforts. The PCLOB should release its report on the implementation of PPD-28 to the public.
- The Department of Commerce should more effectively monitor compliance from listed companies and take further measures to prevent companies from falsely claiming compliance with Privacy Shield.
- The commission agrees to undertake a study on the use of automated decision-making and its compliance with the Privacy Shield. As noted in the staff working document, with the upcoming implementation of the EU’s Global Data Protection Regulation, new requirements will apply to data processing by American companies on European citizens’ data. The commission said it would have to determine how companies using automated decision-making—such as credit monitoring firms—should comply with the new regulation.
This brings us back to the inherent incompatibility between EU privacy law and US mass surveillance, which is driving the actions taken on either side.
Driven by its security mindset, the US implemented a series of extraterritorial legal measures that are viewed with alarm by those in the EU. Its security mindset is also behind the US’s failure to implement many of the measures and safeguards outlined in the recommendations made by the EU. There is no evidence that the US mindset is going to change in any way and therefore limited confidence that any of the extraterritorial legal measures will be repealed orthat the EU’s recommendations to the US will be implemented.
At the same time, driven by its privacy mindset, the EU is implementing a far-reaching new set of privacy measures under GDPR. And there is every chance that when Shrems 2 finally get to the ECJ, the model clauses and Privacy Shield will meet the same fate as Safe Harbour.
What happens then? Do we go round the merry-go-round again? Will there be a Shrems 3? Or will either the EU moderate it privacy mindset or the US moderate its security mindset so that a meeting of minds can be reached for a more stable, long-lasting arrangement to be reached?
I don’t see mindsets on either side of the Atlantic changing anytime soon, and therefore expect to see the merry-go-round continue. Here we go round again!
Bill is a tech industry veteran with over 20 years spent working in blue chip organisations mostly in pan-European and global leadership roles. He joined UKCloud in 2016 as Cloud Strategist. An IBM veteran and former CMO at Compare the Cloud, Bill is a regular commentator and speaker on all things cloud. He chaired Cloud and Devops World Forum in both 2016 and 2017 and is exceedingly active on social media (@BillMew) sharing his views on cloud as well on technology, economics, politics and Arsenal FC. He is one of the highest profile social influencers in the UK on areas such as HealthTech and GovTech and in the world on topics like Cloud and OpenStack.
For more details on UKCloud visit their website: https://ukcloud.com/