What’s behind the shield? Unspinning the “privacy shield” spin

By EDRi · February 3, 2016

  • If there is a deal, why was nothing published?

It is standard practice from the European Commission. When an agreement is reached, the Commission launches a press release, but not the actual agreement. In this way, the Commission can control the amount of information available to journalists and the general public. It then launches the actual document once the press cycle is over and the details are no longer newsworthy.

  • Was there a deal?

Actually, there was no deal. The Commission had to announce something on 2 February in order to prevent regulators from starting enforcement action against companies that were (and, today, still are) transferring data illegally to the United States.

  • Is it strategically wise to announce a deal before discussions have been completed?

For the US, definitely, for the EU, it was strategically disastrous. As the EU has announced a deal, European negotiators have absolutely no leverage in the discussions around the detail of the agreement. Politically, it is impossible for the EU  to reject anything that the US now proposes, because it is politically impossible for the Commission to abandon negotiations after it announced the completion of an agreement.

  • Are there significant questions to be addressed?

Yes. The US was so sure that it would be able to persuade the EU to capitulate in the negotiations that it adopted the flawed “Cybersecurity Act”. Under that legislation, a provision was adopted under which Internet companies (either voluntarily or under coercion) will be able to secretly share personal data with US authorities – in direct contravention of the ruling of the Court of Justice of the EU.  Similarly, the previously announced but unpublished (see the first bullet point, above) Umbrella Agreement is seriously deficient and needs to be re-negotiated before it can be adopted. The EU now has no leverage to demand this. Finally, the crucial Judicial Redress Act has been amended by the US Senate in a way that means that individuals outside the US can only get redress if their government shares enough data with the US authorities.

  • Whose dictionary will be used?

A further major problem with the current approach is that the EU and US have different interpretations of the words being used. Under current US practice, collecting all information related to European citizens does not constitute processing of personal data and is targeted. Under current EU practice, such data collection is processing of personal data and is not targeted.

  • But at least the Commission will review this agreement every year?

Under the illegal Safe Harbor agreement, the European Commission was obliged to present an evaluation by July 2003. It failed to meet this obligation and submitted the evaluation one year and three months after the legal deadline.  Part of the reason for this delay was the effort it took to re-invent the evidence to show that the failing agreement was actually working. The Commission was not held accountable for failing to meet this deadline. Similarly, under the Data Retention Directive, the Commission was obliged to produce an implementation report by 15 September 2010. It finally published its implementation report on 18 April of the following year. The Commission was not held accountable for failing to meet this deadline.

  • But at least the Commission will be able to suspend the agreement if it feels it is not being respected?

When the Commission saw in 2013 that the Safe Harbour agreement was not protecting EU fundamental rights (and as it most probably saw in 2004 also), it could have and should have suspended the agreement at that time. It took the political decision not to do this and was not held accountable for failing in its duties. Having “negotiated” the new “Privacy Shield” agreement, it would politically be even more difficult to suspend the deal. It is simply inconceivable that the Commission would suspend the agreement.

  • But at least there will be no mass surveillance any more?

It is true that some significant reforms have been made in the US – although often fixing quite absurd, undemocratic practices. For example, as a domestic reform, the US authorities have promised not to invent new meanings for legislation after it has gone through the legislative process. However, fundamental problems remain with the key mass surveillance measures, in particular Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12.333. A simple question needs to be asked: if the judicial body tasked with oversight of implementation of FISA can be “systematically misled“, if the author of the PATRIOT Act can complain of that legislation being “abused“, if a group of congressmen can credibly accuse the Director of National Intelligence of “lying to Congress under oath” then what trust can non-US citizens have in letters signed by an outgoing US President?

  • But at least there will be proper oversight of corporate exploitation of our personal data?

Not exactly. If an individual manages to work out what a privacy policy actually means, if that individual then is able to gain an insight into how the data are really being used on the other side of the Atlantic, in a different jurisdiction, they will have some – as yet very unclear – options. The “fact sheet” produced by the Department of Commerce is very disturbing in this regard. While the opening political fluff speaks of “vigorous enforcement”, the text makes no reference to proactive enforcement, referring only – and in very unclear terms – to dispute resolution.