Tom dives into the complex history and potential implications of EU-US Privacy Shield.
Featuring Tom Merritt.
Please SUBSCRIBE HERE.
A special thanks to all our supporters–without you, none of this would be possible.
Thanks to Kevin MacLeod of Incompetech.com for the theme music.
Thanks to Garrett Weinzierl for the logo!
Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit
Send us email to [email protected]
Episode Script
I heard Europe declared sending data to the US illegal
Does that mean I can’t send email to my friends?
Is Facebook going away in Europe?
Are you confused?
Don’t be.
Let’s help you Know a Little more about the EU-US Privacy Shield
On July 6, 2020 the Court of Justice of the European Union or CJEU- invalidated an agreement between the EU and US that let data to be transferred easily between the two countries.
The agreement known as Privacy Shield was the most recent attempt to harmonize the privacy laws of the two governments.
So why do we even need this and why do I care?
You may care if you use any kind of cloud service in the US from Microsoft Azure to Facebook, because without easy data transfer your costs could go up or services might go away.
Here’s why you need an agreement at all.
With a few limited exceptions, it is illegal for a company to send personal information about EU residents to a place that doesn’t offer equivalent privacy protections to what the EU provides.
This does NOT apply to “necessary” data transfer, like sending an email from the EU to the US or booking travel on a US website from the EU or vice versa. This law applies to data that could be stored anywhere.
About 5,000 companies move personal data between the US and EU for their own internal reasons. Maybe they get a better deal on servers in one location so they store all the data there. Maybe it makes some particular operation more efficient.
Cross-border activities include cloud services, Human Resources, marketing et cetera.
Of course companies could just keep EU data in the EU and US data in the US but that means redundant systems, complex programming to make sure data gets routed to the right region, difficulties when you need to look at all your data in aggregate across the two regions and more. It costs more money to keep the two region’s data completely separate.
Here’s a really oversimplified example. I run a website called dailytechnewsshow.com and I turn on comments. My web server is in the US. without an agreement, when somebody makes a comment from Europe, I need to store that comment in the EU. Which means I now have to have a separate server just for EU comments, doubling my costs. Also when I run analytics on my visitors to see how many people are visiting and what they click on I have to run it separately on the wto servers then aggregate the data the end to see results. This means my stock analytics program might need to be reprogrammed.
Yes I can already hear the objections that this isn’t really how this works but it gives you a metaphor. Take those problems and multiple them by $5 trillion and corporate cloud services and you can sort of wrap your head around the problem.
Now, This is only an issue for companies who operate across both the EU and US. If all your personal data is in the EU, you just keep all your data there, problem solved.
But if you have customers or employees in both regions you need to respect both region’s laws. Privacy Shield makes doing that simple.
Without an overall agreement, each of approximately 5,000 companies that handle data across the US and EU, have to negotiate their own Standard Contract Clauses or SCCs– or use a similar mechanism called Binding Corporate Rules or BCR. For simplicity from now on we’ll just refer to SCCs since the issues with both are similar.
Of course the other option is to stop bringing any personal data from the EU to the US. which as we said, costs money, time and resources.
We used to have a solution for this.
From 2000 to 2013 everything seemed like it worked fine under an agreement called Safe Harbor.
Companies sending EU citizens’ data to the US opted into EU-style privacy rules, enforced by the US government.
The other option was the aforementioned SCC that uses preapproved EU contract language to essentially achieve the same thing.
Big companies with enough legal expertise usually implemented SCCs as a backstop but all companies were covered under the Safe Harbor rule even if they didn’t want to mess with SCCs.
Then Edward Snowden came along and leaked documents showing that the US NSA had access to bulk collection of data from people who were not citizens of the US.
Austrian Max Schrems challenged the Safe Harbor agreement, arguing that the NSA access was allowed under Safe Harbor and therefore the Safe Harbor agreement was in conflict with EU law which didn’t allow this kind of surveillance.
The Court of Justice of the European Union agreed with Schrems and ruled that Safe Harbor did not properly protect EU data.
The court identified two main problems. The process of bulk access by US intelligence services was the first..
In the decision striking down Safe Harbor, the European court wrote “…access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter.”
The second problem was the inability of EU citizens to seek redress in the US over this access which the court determined interfered with the right of EU citizens to an effective remedy,.
In the wake of this invalidation, EU lawmakers and the US Department of Commerce worked together to create Privacy Shield, a new framework that addressed the court’s concerns. The US Office of the Director of National Intelligence made written assurance that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Six situations were defined for when the NSA could use bulk collected data. This was meant to show the access to bulk data was not general.
As for the right to complain in the US, Privacy Shield also created an independent Ombudsperson who could hear complaints from Europeans about how their data had been handled by the NSA. The US put this person in the State Department, separate from national security services.
Complaints had to be resolved in 45 days and national data protection authorities would work with the US FTC and Commerce Department to resolve all complaints.
And the US enacted a law giving EU citizens access to US courts to enforce privacy rights in relation to personal data transferred to the US for law enforcement purposes.
In practice, each company would have to certify its privacy policies were in line with Privacy Shield each year and the US department of Commerce would verify this.
It was adopted in 2016 but immediately faced criticism. Particularly people felt that privacy Shield would not be compatible with the General Data Protection Regulation or GDPR, which had just been passed in 2016 and would go into effect in 2018.
Max Schrems brought another case against privacy Shield– commonly called Schrems II– and won again
So Why Did Privacy Shield Fail?
The European Court said “The limitations on the protection of personal data… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.”
In other words, limiting bulk data access to six cases did not give Europeans equivalent privacy protection to what they got in Europe.
But the court didn’t invalidate the SCCs instead saying that companies must decide whether the laws of the countries where they are sending data offered adequate protection under EU law. Most companies took that to mean they could keep using SCCs and continue operations as normal.
And on cue a Max Schrems appears. Well this time, Noyb, a group founded by Max Schrems filed complaints against 101 European websites arguing they stop sending data to US-based tech providers– even under SCCs– because the US doesn’t provide adequate protection for Europeans against surveillance.
These complaints are lodged with Europe’s individual country’s data protection agencies based on where the companies running the websites are headquartered.
Facebook’s European operations happen to be headquartered in Ireland.
Guess what happened next?
In September, 2020, Ireland’s Data Protection Commission issued a preliminary order for Facebook to suspend EU user data transfers to the US. Ireland said the SCC was not sufficient. The order has not been finalized and could change. Facebook had a chance to respond and a new draft was sent to the 26 privacy regulators in the EU for joint approval.
Facebook is taking this seriously.
In a filing, Facebook wrote “In the event that [Facebook] were subject to a complete suspension of the transfer of users’ data to the US, as appears to be what the DPC proposes, it is not clear to [Facebook] how, in those circumstances, it could continue to provide the Facebook and Instagram services in the EU.”
You take away our SCC protection, we take away Instagram!
Would they? Well that might be costlier than adapting to keeping data separate but they certainly are worried about it. Facebook can also tie this up in the courts for awhile to buy time.
As to those SCCs, there may be hope for Facebook and others on that front as well. The EU had been working on updating SCCs to account for GDPR. That work paused t while the Privacy Shield case was going on– you know to see what would happen– but the work has now resumed.
And the EU and US are still working on a new agreement. The problem is the two major court decisions seem to leave the US no choice but to change its surveillance laws in respect to Europeans.
But the US says its surveillance practices are proportionate. The US Commerce Department believes amendments to US laws passed since 2016 increase protections and mitigate many of the concerns in the Privacy Shield case.
A white paper issued by the department of commerce in October 2020 essentially says the US thinks the court got it wrong and doesn’t plan to compromise.
It asserts the US collects no more data than Europe. Collection of security data by EU member states is beyond review of the CJEU, and the EU should want the US to collect data to bolster security since it shares intelligence with the EU. This won’t change the Privacy Shield decision, but it may help bolster cases surrounding SCCs.
So here’s where we stand
The Court of Justice of the European Union says the status quo isn’t sufficient.
The US says it is.
The US has given some solid rationale for using SCCs.
European Data protection authorities seem to be going after SCCs.
And thousands of companies, millions of people and billions of dollars in trade hang int he balance.
In other words I hope now you know a little more about the EU-US Privacy shield.