The Privacy Shield deal is done. Allegedly. It is being hailed as “mission accomplished” by the negotiators. To borrow from Simon McGarr’s excellent metaphor, it appears the warship and the lighthouse have reached a mutual solution that required less movement than we expected.

Mission Accomplished indeed.

The problems with the Privacy Shield are manifold. I’ve covered some of them in yesterday’s news item after the Commission’s press conference. There are others.

Article 29 Working Party

The first problem the deal has is that it isn’t a deal. It was a press release and bag of smoke issued because nobody wanted to imagine what the Article 29 Working Party would do if there was no agreement before the end of their Plenary meeting.

The Article 29 Working Party hinted at what that would have been in today’s press conference and statement.

Even though the WP29 certainly recognises the efforts of the U.S. in 2014 and 2015 to improve the protection of the data of non-U.S. persons, it still has concerns on the current U.S. legal framework as regards the four essential guarantees, especially regarding scope and remedies.

In short: because the WP29 could not satisfy itself that the current mechanisms (Standard contract clauses, Binding Corporate Rules, etc.) could meet the standard of the four tests they identified from the caselaw of the CJEU and the European Court of Human Rights, and the EU Charter, EU Treaty, and Data Protection Directive (I’ll list them below), they might have been getting ready to deliver some bad news today. A finding of inadequacy of any or all of these mechanisms would have been “problematic”. So something had to be done to stall the process and reset the shot clock.

The other problem the deal has with the WP29 (or rather that the WP29 has with the deal) is that there is no documentation, no formalisation, nothing tangible to review. They only received a verbal briefing apparently. It’s one thing to miss a deadline but produce some detail. It’s another to miss a deadline and produce fuzz and a declaration of “Mission Accomplished” which is jumped on by the media before anyone can ask: “What mission, and what has been accomplished”. My sense watching the press conference was that this lack of tangible delivery was ‘problematic’ for the WP29. It becomes problematic for the Commission and US Dept of Commerce as the WP29 is the ‘fat lady’ in this opera and now they are demanding detail that will answer specific questions against a range of defined tests they’ve been practicing with on the other transfer mechanisms.

Analogy: You’ve just told your grumpiest University professor that the thesis you had gotten an extension on has no detail in it and isn’t written down. Then you’ve asked them to grade it. And give you a job reference. That is pretty much how today has gone for the Commission and the Privacy Shield.

A third problem that the WP29 working party will have with the deal is the Judicial Review Act. Under EU law, Data Protection Authorities must be empowered to act independently and be able to order transfers to be suspended. The so-called “National Security” amendment to the JRA would appear to impede the ability of DPAs to suspend transfers as, to benefit from any of the other provisions, the country/economic bloc

must permit commercial data transfers with the United States and may not impede the national security interests of the United States

So, no suspension possible, and no raising of concerns regarding mass surveillance or requesting restraint etc. This problem also affects the alleged ability of the EU Commission to suspend the Privacy Shield scheme, as was outlined to the WP29 by Commissioner Jourova (without any documentation).

The Four Tests for Intelligence

The WP29 has provided four tests for intelligence activities to meet the jurisprudence of Europe’s highest courts. In fairness, they did stress that these tests apply both to other 3rd countries and to Member States.

  1. Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred;
  2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
  3. An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
  4. Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.

It could be argued that the very existence of such rules might “impede the national security interests of the United States”.

However, it is these tests that the “exchange of letters” will be measured against, and against which the effectiveness of the Ombudsman mechanism proposed by the US as part of the deal will be measured. The Dept of Commerce appears to have fallen at the first hurdle here as the Ombudsman is described in their Information Notice as being a …

specific channel for EU individuals to raise questions regarding signals intelligence activities relating to the Privacy Shield

There is no undertaking that the Ombudsman would actually act as part of a redress mechanism, despite the impression that appears to have been formed by the EU Commission. (This highlights the importance of a WRITTEN deal rather than a VERBAL deal when announcing a DEAL).

What Next?

The WP29 wants to see the detail of what is changing with regard to the legislative and governance frameworks that they have already reviewed post- Privacy Shield. They have requested full documentation by the end of February (26 days). I suspect that this is a deadline that the Dept of Commerce and EU Commission will be ill advised to miss. They will then review ALL transfer mechanisms in light of the new structures during March. Safe Harbo(u)r is CONFIRMED dead and any transfers under its banner are unlawful and will be acted against.

The Professors have given their class another extension, rather than flunking them immediately. But there are only so many chances that a class can be given before the professors become part of the problem.

April will bring a decision on all transfer mechanisms to the United States, based on the four tests set out above, and the respect for independence of DPAs. That will be the final exam for this class.

Unless the warship of the US side moves to avoid the lighthouse of the EU legal framework, the outcome will be “problematic”.

“Mission Accomplished” is a premature statement. There is no deal. There is just a stay of execution.