Are its days numbered?

The European Parliament's Civil Liberties Committee has filed a motion for resolution for approval in plenary session, requesting that the European Commission suspend the “Privacy Shield” agreement between the European Union and the USA, in force since July 2016, designed to facilitate international data transfer between these two zones (see press release).

The Privacy Shield replaced the earlier “Safe Harbor” agreement between the European Union and the USA, which was cancelled by a judgment of the European Union Court of Justice resulting from a claim filed by Austrian citizen Maximillian Schrems before the Irish Data Protection Agency.

In the Civil Liberties Committee’s draft resolution, the European Parliament has granted a term until 1 September 2018, with the recommendation that the Privacy Shield be suspended if, by that date, it has not been attested that the USA fully complies with the international Agreement, with a further recommendation that the suspension be maintained until full compliance has been accredited.

Should this resolution be passed, and should the USA fail to comply with the terms of the Privacy Shield, on 1 September, any data transfers between the European Union and USA carried out within the framework of that Agreement would cease to be valid, and as a result, many companies will be obliged to cease trading should their activity involve this type of transfer. This scenario is not dissimilar to that which arose barely two years ago with cancellation of the Safe Harbor agreement by the CJEU, a decision that led to considerable difficulties for transcontinental businesses.

This recommendation, despite being enormously worrying, is hardly surprising. The CJEU judgment on Safe Harbor contained reasoning which can equally be applied to the present situation. Basically, the CJEU held that if there are no guarantees regarding the fundamental rights and principles of Europeans in data protection matters in the destination country of an international transfer, then said transfers cannot be made to that country. On that occasion, the court referred to European data to which American federal agencies had generalized access, a fact revealed in the documents that came to light with Edward Snowden's mega leak, and which enabled the US public authorities to encroach on the fundamental rights of citizens. The document that has now been issued by the Parliament refers to recent cases, such as that of Facebook and Cambridge Analytica, indicating that both companies were registered under the terms of the Privacy Shield, yet this did not prevent misuse of personal data, making it abundantly clear that this framework is not sufficiently protective of the data subjects’ rights, because under its terms the requirement of supervision and control is not properly implemented.

Even aside from the cases that have garnered so much media attention, it was clear that the Privacy Shield had some serious drawbacks from the start. We recall that back in January 2017, the recently inaugurated President, Donald Trump, signed his first Executive Order after taking office as head of state in the USA, entitled “Executive Order: Enhancing Public Safety in the Interior of the United States” which stated that “Sec. 14. Privacy Act. (State) Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.. With this statement of intent it was patently obvious that the content of the Privacy Shield was not aligned with the principles outlined in the order, and many of us commented at the time that a death blow had been dealt to the Privacy Shield.

The Parliamentary document issued also highlights a further concern, with the USA’s recent approval of the “Clarifying Lawful Overseas Use of Data Act”, known as the “CLOUD Act”, which permits access to data stored by American companies, irrespective of their servers’ location, thus obviating the need to make use of international collaboration mechanisms through judicial cooperation treaties.

Once again, the outlook for international data transfers between Europe and the USA is looking distinctly negative. It is true that there are other mechanisms that regulate international transfers in the General Data Protection Regulation of the European Union (GDPR), applicable since not long ago, but the framework of the Privacy Shield was extremely convenient, because it avoids the need to sign specific documents for each transaction between parties, and makes it easy to comply with the requirement to inform, as well as providing a stable framework for transfers. It remains to be seen whether the Parliament will adopt the Civil Liberties Committee motion for resolution, and if it does, what will happen between now and 1 September. Given the current political scenario, there is little scope for optimism in this regard.