Privacy Shield 2.0: Too soon to celebrate 

By Aaron Weller, FIP

globe in hand

It’s as if February knew it needed to overachieve if it wanted to keep pace with the rest of the year in privacy news. In three short weeks, the discussion surrounding the next installment of Privacy Shield has gone from ‘it’s nearly official’ to the declassified report highlighting bulk collection practices of the U.S. intelligence community hitting the headlines. Just as a third attempt at establishing a trans-Atlantic data sharing mechanism seemed like it would be revealed, recent news creates some uncertainty regarding the announcement of a Privacy Shield 2.0 at the upcoming U.S.- EU Trade and Tech Council meeting planned for May.  

With the first two agreements, Safe Harbor and Privacy Shield, successfully struck down by the EU Court of Justice for failing to comply with EU privacy laws, the main grievance rests firmly upon the broad collection practices of the U.S. intelligence agencies and the inability for Europeans to legally challenge unlawful processing practices via a redress mechanism.  

Despite a concerted effort to find a solution between the two trading partners, the onus has been placed on companies to ensure the continued transatlantic data flow by utilizing Standard Contractual Clauses in the interim.  Just weeks ago, Politico reported that the new agreement is nearly done, with Washington expected to put forward a proposal in February. Despite growing optimism, news of the continued reliance on Executive Order 12333, a Regan-era remanent which greatly expanded the data collection capabilities of U.S. intelligence agencies, materialized at an inopportune time as negotiations between the trading partners seemed to be moving forward.  

A recently declassified report by the Privacy and Civil Liberties Oversight Board on a bulk collection program operated by the U.S. Central Intelligence Agency found the program lacked proper oversight. The report surfaced in response to the now declassified 2021 letter  from Sen. Ron Wyden, D-Ore., and Sen. Martin Heinrich, D-N.M., where the senators asked for the PCLOB’s “Deep Dive II” report, which in part reviewed the CIA’s bulk collection program, be declassified. In the letter, the members of the Senate Intelligence Committee wrote that the CIA had “secretly conducted its own bulk program,” adding that the agency’s collection program was “entirely outside the statutory framework that Congress and the public believe govern this collection, and without any of the judicial, congressional or even executive branch oversight that comes from [Foreign Intelligence Surveillance Act] collection.”  

The news comes alongside an uptick among European data protection agencies as they continue to issue decisions against the transfers of personal data to the U.S. It would seem that as much as negotiations have been heralded for moving forward, EU regulators are demonstrating they will not turn a blind eye on data transfers. 

In recent months, both the CNIL, the French privacy regulator, and the Austrian regulator recently ruled that the use of Google Analytics breaches EU privacy law by transferring personal data to the United States. In its February decision, the CNIL specifically addressed the U.S. intelligence community’s broad reach and wrote, “Although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services.” It added, “There is therefore a risk for French website users who use this service and whose data is exported.”  

While it is still entirely possible an announcement is coming our way, the past few weeks have worked to show the importance of addressing the broad collection practices associated with EO 12333 and the lack of comprehensive privacy protections for data subjects in the U.S. While details regarding a potential redress mechanism in the next installment of Privacy Shield are still scarce, it has been reported that officials describe a process where EU citizens are be able to submit complaints to an independent judicial body if they believe their personal information has been unlawfully processed by U.S. national security agencies – potentially offering more privacy protections for EU citizens in the U.S. than U.S. citizens.   

For more about Schrems II data transfer trends, view the recent webinar with Jill Abitbol, senior editor from Cybersecurity Law Report.

Photo by Fernando @cferdophotography on Unsplash

Get started today

Ensuring digital security and compliance for your future.