Privacy Shield Replacement: The Bastard Son of Shield
The US Department of Commerce and the European Commission have responded to the striking down of Privacy Shield by issuing a joint press release. This release announces that:
The U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case.
What does this mean for Privacy Shield?
This means nothing. Privacy Shield has, to borrow a technical term from Monty Python, joined the choir eternal. It is no more.
A number of organisations I’ve contacted over the last few days on behalf of clients have pointed to the Dept of Commerce statement that it would continue to administer Privacy Shield as the basis for their continued reliance on it as a basis for transfer. That is admirable. It is also essentially the same as declaring you will continue to drive over the bridge across the deep and dangerous river even after THE OTHER SIDE OF THE BRIDGE HAS COLLAPSED IN FRONT OF YOU.
Some have speculated today that this joint announcement would give a pause to Supervisory Authorities taking enforcement action against organisations who continue to transfer personal data to the US on the basis of Privacy Shield. One hopes that this is not the case.
It was the position in practice after the striking down of Safe Harbor. However, at that point there had been reasonably extensive negotiations on a replacement for Safe Harbor for a number of years. Even then, the final deal that was cobbled together to become Privacy Shield was almost immediately declared a Chocolate Teapot in the global Data Protection Community. Once that deal was put in place, Supervisory Authorities were consistent in their negative assessment of it in multiple reviews – but only the CJEU could make a decision on its adequacy as (per Schrems 1) it was a decision of the European Commission and could only be struck down by the CJEU.
However, the EDPB’s FAQ on the Privacy Shield aspects of the decision in Data Protection Commissioner v Facebook & Schrems is explicitly clear on the question of a grace period. There isn’t one. The response to the question on any grace period is pretty blunt:
No, the Court has invalidated the Privacy Shield Decision without maintaining its effects, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection to the EU. This assessment has to be taken into account for any transfer to the U.S.
As to whether the announcement of discussions about the potential for maybe negotiating a replacement deal will give enforcers pause for thought, I would suggest you try that argument the next time you are caught speeding in a 60 km/h zone – “But officer, there is a 120 km/h zone just up ahead and when I reach there I won’t have been breaking the law”.
The Commission and Dept of Commerce Privacy Shield Statement
So, what are we to make of the statement issued by the US Department of Commerce and the European Commission about a “Son of Privacy Shield”? Personally, I am having an incredible feeling of de ja vu (and yes, that is a link to another Monty Python reference). Heck, I was even using lame Monty Python references back then. I’ve looked back at my blog posts and notes from 2015 and from 2016 when Privacy Shield was signed off, and I am bemused that the EU Commission and Dept of Commerce appear to be trying to do the same things and get a different result.
My initial thoughts on what we should take from this press release are as follows:
It’s just talks about the potential for talks
Let’s not declare “Mission Accomplished” on this just yet. The key word in the press release is “POTENTIAL”. The discussions are not around a deal but around the potential for a deal. For any deal to have potential, it will need to address the fundamental underlying issues that the CJEU has addressed on two previous occasions. The Commission had a chance with Privacy Shield to use it as a stepping stone to a better solution.
They squandered that.
The CJEU has made it clear what the foundations of any future deal will need to address. The US has made it clear in its policy positions and approach to mass surveillance over the past decade or more that, to paraphrase the American philosopher Mr. Meat Loaf…
I would do anything for a transatlantic data transfer agreement that guarantees a respect for fundamental human rights and ensures a meaningful oversight of intelligence and law enforcement actions and an effective set of remedies for individuals whose rights are interfered with…
… but I won’t do that.
So, talks about the potential for a future deal will probably be very short.
The fundamentals will need to be addressed for any deal to arise
The fundamental issues of oversight and redress that the CJEU has highlighted will need to be addressed ON THE US SIDE before any deal can be finalised. That was the position in 2015, and it remains the position now.
Privacy Shield could have been a meaningful stepping stone to a better data protection world, buying time to fix the foundations of transatlantic data flows. Instead, it was a crappy clip art logo and a drawer full of IOUs on governance and oversight that was repeatedly criticized by activists and regulators alike as not being fit for purpose.
Indeed, I’ve been calling it a #ChocolateTeapot on social media since it was first mooted in 2015.
My prediction: The US will not address the fundamentals necessary. EU Commission will either
a) Burn huge amounts of credibility and political capital pushing through the Bastard Son of Shield or
b) Declare there is no potential in any deal early on and walk away.
I’d like it to be B) but it will almost inevitably be A), which will inevitably have the entire thing up in front of the CJEU again in 2025/2026 and another striking down by 2027.
Data Protection as a Fundamental Right: The Battleship vs the Lighthouse
There is an oft-told story of a battleship commander who, when being advised of a light in the distance that wasn’t changing course jumps on the radio. “This is Admiral Johnson of the battleship Saratoga, please change course”. The other vessel respond “No. You change course”. The Admiral responds “I’m an Admiral in the US navy, in command of a heavily armed battleship. I order you to change course”. The other vessel responds, “I’m a civilian on-shore lighthouse keeper. I suggest you change course”.
Now, this charming story illustrates the reality that faces the US Department of Commerce and the EU Commission in negotiating any Bastard Son of Shield (BSOS). The Commission will need to decide if it wants to run aground (again) on the rocks of the CJEU. Because the CJEU is the lighthouse here. It is charged with ensuring that EU law is administered correctly and, since 2009, in line with the Charter of Fundamental Rights.
Arguments in relation to transatlantic data flows and other issues are the equivalent of the Admiral pulling rank. In other circumstances they might be persuasive and important arguments. However, we’re dealing with a conflict of fundamental principles here, and the CJEU is attentively manning its light house. For any other outcome, the Commission has to be able to persuade the lighthouse to move.
Privacy Shield had a Logo before there was an deal
Dinosaurs like me will recall that Privacy Shield had a logo long before there was any deal announced, and even longer before there was any paperwork behind the deal which could be reviewed. As I recall, the logo was donated by Microsoft, but I might be misremembering that (but it does look like it was cobbled together in MS Publisher).
While we have a press release announcing talks about talks about the potential for a possible deal for the BSOS, we don’t have a logo yet.
Until we have a logo, this is just wind and guff. Until we have clipart, there’s definitely nothing to see here.
What does this mean for Data Controllers
In this case, we should comfortably ignore the man behind the curtain. There is no man, and there is no curtain.
- Transfers on the basis of Privacy Shield are unlawful. Full stop.
- Standard Contractual Clauses are (as with Safe Harbor) a stop-gap measure on a case by case basis, with the added wrinkle that the CJEU has reaffirmed that Controllers have to check the lay of the land in the receiving country to ensure compliance with Clause 4 of the Model Clauses/Standard Clauses, and “importers” need to pay attention to Clause 5 of the Standard Contractual Clauses. (and here’s a mandatory Marx Brothers reference)
- The Commission and the Department of Commerce are having talks about talks but there is no BSOS yet (no logo, no deal)
- Even IF there is a BSOS, unless the US addresses the fundamentals raised by CJEU, the BSOS is going the way of the Harbo(u)r and the Shield so really won’t be a solution for anyone.
Controllers should ignore the speculation and PollyAnna-esque thinking. Review suppliers, identify those who are relying on Privacy Shield. Determine what their alternative is (e.g. SCC), assess whether data going to 3rd countries under SCCs are subject to adequate safeguards, take appropriate actions to replace suppliers as needed.
We’ve been here before. Time to get things right.