With recent GDPR decisions fundamentally putting an end to how companies process data as we know it, there is now a huge push for better alignment between the EU and US on data privacy.
For a long time, companies and other institutions felt safe under Safe Harbor and Privacy Shield. But, as data became more of a commodity and the practice of collecting and selling it became more lucrative and invisible, people began to take notice. Now, we're at the point where we need new data privacy agreements.
Everyone wants this, but how did we get here and are we any closer?
What was the Privacy Shield?
Back in October 2015, the European Court of Justice invalidated the International Safe Harbor Privacy Principles.
Safe Harbor, developed between 1998 and 2000, was meant to prevent private organizations from disclosing or losing the personal data of EU and US citizens. After many complaints, including about Facebook data, the EU decided that the US and Safe Harbor did not comply with the EU Data Protection Directive.
This Safe Harbor decision is also known as Schrems I. In an effort to limit the negative impacts of invalidating Safe Harbor, the EU and US created a new data framework, Privacy Shield, in 2016.
This new agreement was supposed to remedy some of the failings of Safe Harbor, but, according to the European Data Protection Supervisor (EDPS), there were still some issues related to the deletion of data, collection of massive amounts of data, and the new Ombudsperson mechanism. Regardless of these points, the European Commission adopted the Privacy Shield in July 2016.
Privacy Shield and Schrems II
The potential issues spotted in 2016, a drastically changing tech landscape, and political changes on both continents, led to the downfall of Privacy Shield in 2020.
Austrian privacy activist, Max Schrems, argued that the data agreement did not do enough to protect the privacy of the personal data of EU citizens when it was transferred to the US.
The main issue that brought down the framework was US mass surveillance.
“The Privacy Shield was not the main issue; the issue is that the Privacy Shield had to yield to US surveillance laws,” Schrems said.
Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, added that the issues with Privacy Shield and Safe Harbor were never about examining data for security reasons, but more about transparent processes and legal protections for EU citizens.
“The main crux is that a judge can provide someone who is outside the US a legal safeguard, that they can have their rights vindicated if their rights are infringed upon,” Ryan said.
Without those protections in place, and with no real way of addressing those concerns quickly, Privacy Shield was invalidated in July 2020, in a decision that is now known as Schrems II.
The Future of Privacy Shield
Without a legal framework for processing data as it flows between Europe and the US, countries across Europe have been declaring many types of data transfers illegal: Austria and Google Analytics, Belgium and IAB, France and Google Analytics, etc. By this time, there are most likely more to add to that list.
Such cases are making the necessity of a Privacy Shield replacement even more important - for leaders on both sides of the Atlantic.
Not to mention the fact that many EU countries and agencies are narrowing in on the data practices of big tech companies, like Facebook, Microsoft, Amazon, and Google.
Since President Joe Biden entered office, he has been working on a replacement, along with Europe Commission President, Ursula von der Leyen, but so far there has been nothing to show for these meetings except words of optimism.
At the Trade and Tech Council (TTC) meeting in September 2021, the US offered a quasi-judicial oversight mechanism over national security agencies in order to get a new agreement signed before the end of the year, but the deal was not accepted. There is hope that recent negotiations will lead to a better outcome at the next TTC meeting in May 2022.
Many are hopeful that both parties will be able to come to an agreement that allows American intelligence agencies to continue to access people’s data, while also protecting the rights of EU citizens.
One solution may be the creation of an independent judicial body that will oversee complaints from EU citizens who feel US agencies have unlawfully handled their data.
The details of that plan - like how would someone even know to make a complaint in the first place, and if they would even hold up in court - are yet to be seen.
But one thing is clear, whatever decision is made, it will not be made in Congress - a fact that could kill any deal before it even starts.
Since political agreement and progress is hard to come by these days, any change that is made would have to be compliant with existing US rules and regulations.
Most experts agree that any significant progress would have to be made through legislative changes in the US that limit how national security agencies can access EU data and give EU citizens a clear and transparent way to legally challenge that access in courts.
Without those things, how long is it before we have a Schrems III?