US ‘guarantees’ show that proposed Privacy Shield will not protect EU data

Renegotiated agreement between European Commission and US lacks substance

Austrian Max Schrems  before  the verdict of the European Court of Justice in Luxembourg in   October 2015,  which led to the dismantling of the Safe Harbour agreement  which let companies  self-certify that they provided European-level privacy safeguards to European data held in the US.  Photograph:   Julien Warnand/EPA
Austrian Max Schrems before the verdict of the European Court of Justice in Luxembourg in October 2015, which led to the dismantling of the Safe Harbour agreement which let companies self-certify that they provided European-level privacy safeguards to European data held in the US. Photograph: Julien Warnand/EPA

Will Privacy Shield – the proposed replacement for the disgraced Safe Harbour data exchange principles – be a runner? Businesses on both sides of the Atlantic will hope so. They’ve been in a state of legal and trading uncertainty ever since October, when the European Court of Justice (ECJ) vaporised the 15-year-old agreement enabling companies to self-certify that they provided European-level privacy safeguards to European data held in the US.

As the ECJ noted in its scathing Schrems decision, oversight of, and thus any guarantee of compliance with, Safe Harbour was laughable. In addition, documents from whistleblower Edward Snowden had demonstrated that US intelligence agencies were engaged in large-scale mass surveillance activities which included programmes to siphon data from multinational internet and social media companies. European data in the US was exposed to such activities despite Safe Harbour.

At the start of February, the European Commission and US authorities rushed to present a renegotiated agreement called Privacy Shield – or "the" Privacy Shield, as it is referred to in documents. It came complete with a logo, but lacking any actual formal substance, such as an actual written agreement.

We still have no sight of the formal agreement, but this week, just in time for a deadline to produce something tangible, the commission issued a “Privacy Shield adequacy communication”, a package of documents that is the latest salvo to convince Europeans that the shield will do the job intended.

READ MORE

The core document, from the commission itself, presents Privacy Shield as part of a three-pronged data protection package, alongside the new EU general data protection regulation and a new EU-US umbrella agreement that streamlines data exchanges for law enforcement purposes.

Then, there are a number of “annex” documents, letters from government bodies in the US explaining relevant aspects of their Privacy Shield commitments. Two are particularly interesting.

First, the 18-page letter from the office of the director of national intelligence, Robert S Litt, goes into a detailed explanation of quaintly termed "signals intelligence" (read: surveillance) operations and oversight. Second, a nine-page letter from US secretary of state John Kerry covers the proposed role of an ombudsperson who would consider privacy-related complaints brought by EU citizens, and President Obama's presidential policy directive 28 (PPD-28) of January 2014, his post-Snowden "important intelligence reforms" limiting some activities of the National Security Agency.

Anybody interested in US policy thinking on surveillance and data privacy, and wanting a list of the acts and structures that provide oversight (such as it is) to national and overseas surveillance, will want to have a look at both.

However, it is just these documents which undermine the commission’s claims that Privacy Shield can guarantee EU citizens’ data in the US will receive the same protections as in the EU.

While they go a distance in offering some new redress and oversight structures, they also clearly note that such protections are offered only within the framework of greater national security needs and exemptions, which remain murky and subjective.

For example, Kerry notes that the Privacy Shield ombudsperson “will neither confirm nor deny whether the individual has been the target of surveillance nor will the ombudsperson confirm the specific remedy that was applied”. This goes directly against one of the specific concerns highlighted by the ECJ in the Schrems case and its earlier 2014 decision to throw out the data-retention directive – that EU citizens are entitled to know if they have been unlawfully spied upon and have meaningful redress.

Litt’s letter contains many “get out of jail free” clauses, such as noting that PPD-28 mandates that other less-intrusive intelligence methods be used rather than bulk surveillance “whenever practicable”. Who determines that?

As for the claim that “the US intelligence community collects foreign intelligence in a carefully controlled manner”, it is hard not to – let’s be frank – smirk. We wouldn’t be pursuing a replacement to Safe Harbour, if that were true.

But what really irks is that the commission explains at length the benefits of the new umbrella agreement that interlocks with Privacy Shield and is supposed to offer “harmonised data protection safeguards” when data is exchanged with the US “between relevant authorities in the area of criminal law enforcement”.

Yet – according to indirect references in the commission document – these safeguards have no application to an ongoing US case involving Microsoft.

The company is fighting US government demands that it hand over emails in its Dublin data centre for a drugs case in New York, without a warrant. Nor has the US used established international treaties to request the data.

This case is not some odd outlier but critically important to businesses and the future of data exchange, cloud computing, internet commerce, online communications and personal and corporate privacy. If the US doesn’t see any contradictions in defending this case while promising adequate protections for European data, how can we possibly believe Privacy Shield will be fit for purpose?