EU/US Say They’ve Agreed To A New Privacy Shield… That Doesn’t Seem To Deal With Any Of The Problems Of The Old One
from the lipstick-on-a-dead-pig dept
Last week, the EU and the US announced something important that sounds pretty boring — a new “privacy shield” agreement. You should know it’s important, because in the midst of dealing with everything else, including the Russian invasion of Ukraine, President Biden actually made a public statement with European Commission President Ursula von der Leyen to announce it (in a speech that also included talk about the Russia/Ukraine situation). Here was the key bit:
And I’m proud to announce that we’ve also reached another major breakthrough in transatlantic data flows. Privacy and security are key elements of my digital agenda.
And today, we’ve agreed to unprecedented protections for data privacy and security for our citizens.
This new agreement will enhance the Privacy Shield Framework; promote growth and innovation in Europe and the United States; and help companies, both small and large, compete in the digital economy.
Just as we did when we resolved the Boeing-Airbus dispute and lifted the steel and aluminum tariffs, the United States and the EU are finding creative, new approaches to knit our economies and our people closer together, grounded on shared values.
This framework underscores our shared commitment to privacy, to data protection, and to the rule of law. And it’s going to allow the European Commission to once again authorize
transatlantic data flows that help facilitate $7.1 trillion in economic relationships with the EU.
A little history if you don’t follow this too closely. For years, the US and the EU had a “privacy safe harbor” setup, by which US internet companies were allowed to collect some data on EU users by agreeing to live up to certain standards. What this meant in practice was that every US internet company had to hire some random “privacy auditor” in the EU who would bless you with some sort of compliance statement. It was kind of a boondoggle (and, yes, we had to go through it ourselves).
Back in 2015, privacy advocate/perpetual thorn in the side of companies who collect data, Max Schrems, successfully challenged the legality of this agreement at the EU Court of Justice. What the EUCJ said in scrapping the privacy safe harbor agreement was that the NSA’s PRISM program (exposed by Ed Snowden, and involving pressuring US internet companies to cough up information on users) violated the safe harbor.
Suddenly, it became unclear if US internet companies even could continue to collect data from EU users. There was a lot of scrambling, and in early 2016, the EU and the US announced a new privacy safe harbor, with the catchier name “Privacy Shield.” However, as we noted at the time, considering that the US refused to end the NSA’s collection program under Section 702 of the FISA Amendments Act, it didn’t seem possible that the new agreement would survive a challenge.
And, indeed, Schrems challenged the Privacy Shield again, and once again, in 2020, the EU courts rejected the Privacy Shield. In that decision, it continued to call out NSA surveillance, including executive order 12333, which, as we’ve noted, is actually the main source of the NSA’s foreign surveillance powers, and (according to some) not subject to Congressional review.
So, now, the US and the EU claim they’ve come up with a new Privacy Shield framework that will allow the data to flow freely across the Atlantic. But I don’t see how that’s possible. Because 12333 still exists. And, back in 2018, Congress renewed Section 702 of the FISA Amendments Act. So the two biggest reasons why the EUCJ has rejected these agreements — two giant NSA spying programs — still exist. I don’t quite see how any new agreement is going to get around that without significantly modifying the NSA’s surveillance program.
Schrems seems, let’s say… skeptical.
“We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move. It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter.”
“The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.“
“It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”
While US tech companies have been “celebrating” the deal, they really shouldn’t bother. It’s hard to see how this survives another round in court, until the NSA has its wings clipped.