Cantillon: Can Privacy Shield protect our data from the Eye of Sauron?

EU to approve replacement for Safe Harbour, but US NSAs are still watching

Austrian law student Max Schrems, who took a  case against the Irish Data Protection Commissioner   over his Facebook data. Photograph: Julien Warnand/EPA
Austrian law student Max Schrems, who took a case against the Irish Data Protection Commissioner over his Facebook data. Photograph: Julien Warnand/EPA

This week, the EU looks set to approve the beleaguered Privacy Shield agreement for safeguarding – perhaps – data transfers between Europe and the US.

Privacy Shield is the proposed replacement to the old Safe Harbour principles, which were dramatically shot down by the European Court of Justice (ECJ) when it ruled in favour of Austrian law student Max Schrems in his case against the Irish Data Protection Commissioner over his Facebook data.

Yet it seems the Commission and US authorities had no Plan B ready in case Safe Harbour got the axe. A bit of sabre-rattling by European data protection authorities (DPAs), who threatened to start halting data transfers if no appropriate transfer framework was put in place, galvanised transatlantic negotiations and lo, the Privacy Shield was brandished before the European Parliament at the start of February.

Unfortunately, everyone from MEPs to the Article 29 Working Party (comprising the national DPAs) to European Ombudsman Emily O'Reilly to the European Data Protection Supervisor Giovanni Buttarelli has voiced concerns about the Shield. These can be usefully boiled down to one issue: whether US concessions meet the ECJ's concerns about US national security agencies and their remit to carry out secretive surveillance under a system with minimal oversight. How would EU citizen data be safely redirected away from this Eye of Sauron?

READ MORE

The EU and US claim that some recently renegotiated bits and bobs address those issues. But privacy and legal experts have repeatedly stated it seems impossible for the US to guarantee that EU data receives the protections provided under EU law without legislative changes at US federal level.

This has not happened. Thus, whatever the EU's national representatives might approve this week is, Cantillon predicts, destined to end up back before the ECJ. If the Privacy Shield is also given the boot, and those ubiquitous data transfers – a central part of many levels of transatlantic business – are halted, the consequences begin to verge on the unimaginable.