Replacing Privacy Shield – What Should Happen?

Last week I wrote about the Bastard Son of Shield (BSOS) and how the announced ‘talks about talks’ between the EU Commission and the US Dept of Commerce would inevitably lead to another collapsible adequacy decision unless there was some fundamental rethinking of the situation on the United States side of the discussion of any replacement for Privacy Shield.

I believe it is essential now that both sides take this opportunity, an opportunity that has been repeatedly missed since the formulation of Safe Harbour twenty years ago.

The Privacy Shield Problem

Both Privacy Shield, and its predecessor, were attempts to build a bridge across the Atlantic between two trading blocs in respect of the transfers of data about or relating to people. Those trading blocs have somewhat differing constitutional positions on privacy and on the protection of personal data. Europe’s has evolved since the 1980s when the Council of Europe negotiated Convention 108,  and now the right to Data Protection is enshrined in the core legal structures of the EU as part of the Charter of Fundamental Rights. The United States, despite some recent State level legislative progress and sector-level specific scenario regulation, lacks this fundamental basis.

Which is ironic, given that the modern concept of Privacy in a legal sense owes much to the work of Louis Brandeis and the paper he co-authored with Samuel Warren in the Harvard Law Review in 1890 (in response to the development of new data processing technologies like photography), and the fact that the core principles enshrined in Convention 108 are grounded, in part, on Fair Information Processing Principles which were developed in the United States. In many ways, the United States had a fantastic opportunity to be a leader in the world of data protection and developing a fundamental ethical model for processing data relating to people. However, it is now considered a laggard in many ways.

The Privacy Shield problem is that any bridge requires strong foundations on both ends of the span for it to withstand wind, weather, or other shifts in the environment. Without a solid abutments and piers in the structure of the bridge, and without robust bridge bearings to support movement and twisting in the structure due to environmental factors, even the most impressive bridge will collapse.

Building on the Rubble

Right about now, I’m sure that there are negotiators in the European Commission and the US Dept of Commerce who feel like the king in Monty Python and the Holy Grail who built his castle in the swamp. I would suggest that those negotiators (who are doubtless trying to figure out how to square the circle of competing positions), reflect on the fact that the king in The Holy Grail had to build four castles before any of them stayed up. While not discussed in the movie, it’s likely that the King’s previous two attempts provided a foundation of sorts for his third castle.

So, what of the rubble of Privacy Shield and Safe Harbour might provide foundations for the abutments of any future bridge across the Atlantic?

The Privacy Shield System

The Privacy Shield system is actually not a bad idea in a US context and is something that can be built on. This is particularly the case as the FTC has made it clear that it will continue to undertake enforcement actions and require organisations who are registered under Privacy Shield to fulfill their obligations or face enforcement actions.

But it needs to be considered less as a mechanism for cross-border transfer and more akin to a monitoring body for a Code of Conduct or a Certification Scheme under GDPR. Certification schemes can be helpful in respect of cross border data transfers under Article 46(2)(f) of GDPR, but it is likely that they would fall foul of the same underlying issues as Privacy Shield in respect of the wider legal framework that any such scheme would operate in. However… Privacy Shield has many of the attributes of what would be needed as part of a wider solution and we shouldn’t throw the baby out with the bathwater.

Convention 108+

A key requirement for any future bridge, in my opinion, would be the US acceding to Convention 108+, which should then form the basis for any future Federal Data Protection law. This would provide a common reference model for fundamental data protection concepts. It would also provide ‘scaffolding’ for the the development a structured Federal Data Protection law that can be mapped to the European model. Any such Federal law will need to create a consistent governance structure for Data Protection Supervisory Authorities at a State and Federal level. On one hand, the existing Attorney General model in the US is one approach. The German model which has Supervisory Authorities for each of the Lander as well as a Federal Authority is another model.

The big value of the US acceding to Convention 108+ would be the optics of the end of American exceptionalism in this area and a recognition of the importance of fundamental common framework for data protection that supports and enables cross-border transfers based on shared principles and commitments. This would go beyond the “we promise to be good” assurances contained in Privacy Shield and would put the US’s commitments in this area into a framework which would have an independent arbiter, the European Court of Human Rights.

It’s not a panacea, and when we look closely at some of the other countries that have acceded to Convention 108+ and that have introduced data protection laws based on the core principles in the Treaty, we can see the limitations of this approach when faced with domestic laws and government culture that is not aligned. After all, Russia is a party to the Treaty. However, this is why Convention 108+ is only part of the solution. After all, not every country that has acceded to Convention 108 is recognised as a “safe country” with an adequacy decision from the European Commission.

But it’s a start.

 Federal Data Protection Law

Another essential building block will be the passing of a Federal Data Protection law. This needs to avoid the historic pitfalls of data protection /privacy legislation in the US and not be sectoral in nature. Rather it should provide a baseline standard against which other laws can raise the bar (higher standards) or lower the bar (reduced protections) based on the needs of specific sectors. It also needs to allow States to implement higher standards if they wish, but establish a minimum floor. It will also need to consider the application of data protection laws to law enforcement activities to ensure alignment with 4th Amendment principles.

It’s also worth bearing in mind that the current legal structure in the US that relies on the FTC for data protection/privacy enforcement only applies to entities that fall within the scope of the FTC’s sphere of regulation. So a number of sectors (e.g. not-for-profits) can fall between the cracks in the current regime. A clean-slate, omnibus law could address these types of issues.

Why should the US do this? Well, in addition to improving its position and establishing some bona fides when talking about cross-border data transfers, its something that an increasing number of Americans would be in favour of. The research over the last 30 years has been pretty conclusive (see our meta study for Verimatrix a few years ago), and the latest research from KPMG doesn’t contradict the trend.

The alternative is a continuation of the State level development of data protection laws, largely influenced by California. While this might help raise standards, it will do so with a degree of variation between States. A Federal law would act in the same vein as the GDPR, providing a common floor for State legislation.

Reform of Intelligence Gathering Laws

A common refrain I’ve heard from American friends is that EU member states also engage in spying, so the focus on Section 702 of FISA and EO 12333 is unfair and hypocritical.

Yes, EU Member States do engage in espionage and in intelligence gathering. However, where this is carried out by law enforcement bodies it falls within the scope of the Data Protection Directive for Law Enforcement and within the limits of the EU’s Charter of Fundamental Rights. As such, there are constraints. And while national security intelligence gathering sits outside the scope of EU competencies (national security functions remain reserved to Member States under EU Treaties). However, the fundamental right to Data Protection still remains in EU law in the Charter and in the Treaties, and the European Convention on Human Rights enshrines a Right to Privacy in the wider European context.

Necessity and Proportionality are the key watch words here for intelligence services in the EU. This was clearly set out in the Digital Rights Ireland case where the Data Retention Directive was struck down. Further cases are hinting at further complications for intelligence services in the EU. The German Constitutional Court has recently ruled that the operations of its intelligence services are governed by German Constitutional law and therefore must be “brought into the light of the law“. In an upcoming CJEU case on the ePrivacy Directive and counter terrorism (actually four cases joined together), the Advocate General has advised that the obligations placed on telecommunications providers by legislation allowing for bulk obtaining of telecommunications data on behalf of intelligence services, even where there is a statutory basis, are incompatible with EU law.

So, yes. EU member states engage in surveillance and espionage and interception of communications. But the provisions are subject to judicial scrutiny and the lawfulness of these measures is being challenged. Any extra-legal operations must be normalised and brought under control or ended.

So, the US needs to take on board the comments and criticisms of its surveillance state legislation and improve safeguards and transparency. And this is a journey that intelligence services of all colours are probably going to have to take together.

This means tackling the issues of effective oversight and redress highlighted now in at least one CJEU ruling.

Laying The Bridge Foundation

Each of these elements discussed here are key components in the foundation of any future stable and robust data transfer regime between the EU and the US. Any one of them alone will not succeed, and it is a case of ‘the more the merrier’ when we want to be sure of the strength of the abutment on the US side of the Atlantic Privacy Bridge (aka, the Bastard Son of Shield) whether it takes the form of an adequacy decision or simply SCC’s on steroids.

Whither Standard Contractual Clauses?

Standard Contractual Clauses need to be updated. This has been the case since Regulation 2016/679/EU became the new legal order. However, the question arises as to whether they are a valid basis for data transfers to the US. The answer to this is a resolute “it depends” and “how much are you willing to gamble?”

In a blog post on the IAPP’s website suggests an approach to dealing with the US situation. Personally, I’m not immediately convinced, but there is food for thought there. However, it rests entirely on an assumption that things can’t get any worse and that the oversight and necessity and proportionality issues are actually addressed to a standard the CJEU would consider meaningfully equivalent. They even suggest encryption as a mechanism to work around some of the issues, but they require the keys to be held such that the US authorities couldn’t compel they be provided. Given the efforts the FBI went to to get into one person’s iPhone, and the general antipathy to encryption we have seen in the US legislature, this could be wishful thinking.

Transfers Elsewhere

In interviews with various media outlets over the past few weeks, the question was raised about whether this was an attack on transfers to the US driven by a lone Austrian activist, or whether transfers to other jurisdictions would be similarly affected. Specifically I have been asked about transfers to China and Russia. And my summary answer is that I’ve always advised caution with transfers to China and Russia, the only mechanism permitting such transfers is Standard Contractual Clauses, and the decision in DPC vs Facebook & Schrems means that the equivalence of protections that are possible in those jurisdictions needs to be assessed, just as with transfers to the United States under Standard Contractual Clauses.

Given the need for legal certainty, or at least a fighting chance of correctly identifying and mitigating risks, other countries are probably going to have to up their game. For example, Australian companies (should) rely on Standard Contractual Clauses if they are processing personal data on behalf of EU-based controllers. But Australia has an anti-encryption law on its books. Therefore, it’s open to question whether transfers to Australia under SCC’s would be lawful (hint: I don’t think they actually are).

And, come January, the UK will find its surveillance regime and other aspects of its protections for personal data under scrutiny as it becomes a third country finally outside the EU/EEA.