The future of the EU-U.S. Privacy Shield was the center of attention Thursday at the European Parliament as representatives from the U.S. government and the European Commission once again made the case – to a skeptical parliamentary committee – for why the agreement is the best way forward for both sides of the Atlantic. Hurdles clearly remain for the framework’s final approval.
The hearing, hosted by the LIBE Committee, also featured testimony from the Article 29 Working Party Chairwoman Isabelle Falque-Pierrotin and European Data Protection Supervisor Giovanni Buttarelli, as well as privacy practitioners, advocates and industry.
Top concerns include whether it will hold up to court scrutiny, the nature of U.S. government access to European citizens’ data, and the effectiveness of the four redress mechanisms laid out in the Shield package – particularly the independence of the proposed ombudsperson in the U.S. State Department. Members of Parliament also expressed concerns about whether a change in the U.S. presidency could potentially eliminate the written assurances provided by President Obama’s cabinet.
The first hurdle for the Shield comes in a few weeks when the WP29 issues its opinion on it. During the hearing, WP29 Chairwoman Isabelle Falque-Pierrotin expressed concern that the Shield didn’t appear to address data retention obligations. She also questioned how available the redress mechanisms will be to EU citizens. Though the WP29’s findings are non-binding, the members do have enforcement authority over businesses in their respective countries, so their opinion will be influential.
But officials from the European Commission and DOC argued that the Shield is not Safe Harbor 2.0.
“We have managed to overcome a number of weaknesses from Safe Harbor,” said European Commission Director General of DG Justice and Consumers Tiina Astola. “Privacy Shield is very different from the old Safe Harbor, and we hope to adopt a new adequacy decision in the coming months.” She also pointed out that the agreement is part of an ongoing arrangement, not a static implementation.
The U.S. Department of Commerce Deputy Assistant Secretary for Services Ted Dean agreed, calling the deal “a living framework” that mandates annual review sessions. “We viewed this as a critical component of the framework,” he said. “We see it as the beginning and not the end of the process.”
European Commission Head of Data Protection Unit Bruno Gencarelli also agreed, and pointed out that a suspension clause allows Europe to pull out of the deal at any time.
Withholding any final judgment of the Shield, European Data Protection Supervisor Giovanni Buttarelli was cautiously optimistic. He said that it was a serious sign that U.S. government agencies like the Department of Justice, Department of State and Office of the Director of National Intelligence have been involved in the negotiations. He said a “lasting solution” must be found, but that it’s currently too early for any legal insights from the EDPS at this stage.
He also stressed the global importance of the agreement, not just for both sides of the Atlantic. “This decision will set the standard," said Buttarelli. "Other countries may want to have their own version of the Shield.”
But there was plenty of criticism of the proposed arrangement to go around.
“We need a solution, but is Privacy Shield the answer? It’s a step up, but is it what the court asked for?,” queried Max Schrems, a lawyer and activist whose case against Facebook led to the invalidation of the Safe Harbor framework. Schrems also argued that the redress mechanisms built into the Shield are cumbersome and “incredibly difficult to navigate.”
Marc Rotenberg, of the Electronic Privacy Information Center, went further, arguing that the Shield is actually weaker than the previous Safe Harbor agreement. He said the Commission should have held out longer, and used its leverage to convince the U.S. government to end Section 702 of the FISA Amendments Act as a precondition to the agreement. Plus, he argued, the alternative dispute resolution portion of Shield “is not favored by any privacy or consumer group in the U.S.” On Wednesday, more than two dozen groups – including EPIC – sent the EU a letter urging a renegotiation of the Shield.
But for privacy practitioners and industry, the need for a new data transfer agreement is urgent.
“Privacy officers have been rushing” to find solutions since the invalidation of Safe Harbor, said the Centre for Information Policy Leadership’s Bojana Bellamy, CIPP/E. “We need a spectrum of data transfers,” she said, but just having model contracts and standard contractual clauses “do not deliver privacy for people on the ground.” She also said that the Shield pushes organizations to be more accountable, to put in comprehensive privacy programs, and to protect personal data across the data flow chain because of the onward transfer mechanism.
Plus, Bellamy said she believes there will be robust enforcement of bad actors. “The FTC is a hugely formidable enforcer,” she said, adding, “I have no doubt they will take action.”
John Higgins, Director General at DigitalEurope – a trade group representing hundreds of tech businesses – also backed the proposed agreement. “After months of uncertainty,” he said, “we really need to restore certainty,” he said. “We have full confidence that the European Commission has done their homework and this will withstand the court challenges.”
Dutch MEP Sophie in’ t Veld, who was critical of the Commission and the Shield throughout the hearing, argued the deal will not withstand court scrutiny.
Bringing the framework in front of the Court of Justice of the EU will not, however, be up to the Commission because it does not have voluntary jurisdiction. Rather, it would have to be challenged in a way similar to how Safe Harbor was challenged by Schrems.
She also questioned the written assurances from the U.S. government, asking what would happen if Donald Trump, for example, was elected president.
“These assurances are not made by [Secretary of State] John Kerry in a personal capacity,” said the Commission’s Bruno Gencarelli. “They are made by members of the U.S. government because they are empowered to make such commitments. Therefore, the commitments would bind us to the next administration until they are repealed or withdrawn. The fact they are published in the Federal Registry confirms this commitment,” he added.
For the DOC and Commission, what sets the Shield apart from the previous arrangement is the ability for the Commission to suspend the Shield. “If there is any walking away from these commitments,” said the DOC’s Dean, “the Commission will not need to wait for an annual review.”
Those backing the Shield readily admitted that it’s not a perfect solution, but argued that shouldn’t mean it should be scrapped. “We have to not let the best be the enemy of the good,” said DigitalEurope’s Higgins. “This is a good scheme with a review period. We should see how it works in practice, and address any issues as they arise.”
“Otherwise, we’ll never get there,” he added.
Though the agreement might not be perfect, for Bellamy, the agreement is needed. “Is it perfect? No,” she said, “but I’m speaking as a pragmatist.” For her, there isn’t a better alternative and there’s too much on the line for the digital economy, particularly for Europe.
“We cannot have fortress Europe,” Bellamy warned. “It’s not what Europe’s about.”