Two years later and it still sucks: Privacy Shield progress panned

Analysis More than two years in, Privacy Shield still isn't fit for purpose – and data protection experts and politicians want to see a bigger commitment ahead of its second annual review.

The agreement, rushed through in the summer of 2016 after its predecessor Safe Harbor was scrapped, governs data flows between the European Union and the US.

Although most critics agree that it provides more protection for EU citizens' data than Safe Harbor, concerns about oversight, enforcement, automated decision-making and US surveillance have been raised repeatedly.

Frustrations have mounted in recent months, as some changes called for in the first annual review – carried out in September 2017 – have yet to transpire. Those that have been made seem to have taken place at a glacial pace.

"Less progress has been made than expected," European data protection supervisor Giovanni Buttarelli said. "For instance, we were expecting a quicker appointment of members of the PCLOB [Privacy and Civil Liberties Oversight Board] – that was recommended as essential."

Although a chair was appointed shortly after the review, it took until March for two members to be nominated. But these, and further, appointments have yet to be finalised.

This week a coalition of 31 organisations called for the US administration to pull its finger out, noting that PCLOB – charged with overseeing the US spy agencies – had only had a quorum for four-and-a-half of its 11-year existence.

And of course it's about more than just bums on seats. "We're also pushing for the efficiency and functionality of the body," Buttarelli said.

Critics also complain about a lack of clarity on national security issues, and on arrangements for the ombudsperson who handles such complaints – not least because the current holder of that position, Judith Garber, has been nominated as US ambassador to Cyprus.

"We don't have any information on who is going to replace her as acting ombudsperson," said Andrea Jelinek, chair of the European Data Protection Board, which is made up of the leaders of the EU's privacy watchdogs.

She said that a July meeting with Garber had been "interesting and collegial, but did not provide any conclusive answers regarding our concerns".

Face up to privacy limits: Mass surveillance

But one of the issues that looks less likely to be resolved is that of national security and mass surveillance; critics are concerned about routine access to data under the deal, but a lack of transparency makes it hard to unpick.

For instance, MEPs were disappointed the US didn't embed Presidential Policy Directive 28 (PDF) – which states surveillance activities need to safeguard personal information regardless of where the person resides – into the Foreign Intelligence Surveillance Act when it was re-authorised at the end of last year.

Now, they want evidence that data collection under FISA 702 isn't indiscriminate and isn't conducted in a generalised, bulk manner, which would run against the EU Charter on Fundamental Rights.

"Because of the differences between the two legal systems, we still have concerns about the chance Privacy Shield can be viewed as a legitimation of routine access by certain authorities," Buttarelli said. "We've been asking for more precise information about mass surveillance in practice... for more tangible measures and improvements when it comes to US surveillance."

But, as Buttarelli acknowledged, intelligence services rarely go public about the detail of their activities – a point that Tene emphasised.

"The heart of the matter, I think, is not going to be resolved," he told The Reg. "At the end of the day, section 702 has been extended and I don’t anticipate any fundamental changes in the way that the intelligence agencies operate as result of the Privacy Shield."

Rather, Tene wants to see a more pragmatic view that focuses on enforcing the deal within these confines; being aware that data protection agencies don't have jurisdiction over any nation's intelligence agencies.

"That was the European Commission's approach, and I fully expect it will continue to be the approach going forward," he said.

"They can look at the oversight mechanism, PCLOB, ombudsman – but beyond that everyone recognises that if the EU institutions are willing to break this deal over that, then the prospect for continued data flows are pretty grim."

Suspend the deal? We can... but won't

Pressure has also come from the European Parliament, which in July called on the European Commission to suspend the deal if such concerns hadn't been addressed by 1 September – but as we hit the end of August, the holes remain.

Commissioner Vera Jourová has said that her institution wouldn't hesitate to suspend the deal if it was necessary – but her spokesman Christian Wigand told The Reg it wasn't warranted at this stage.

"All elements on which our adequacy finding was based have remained in place since the new US administration took office," he said. "And we have seen some improvements and new appointments in relevant bodies and authorities."

Claude Moraes, chairman of the civil liberties committee (LIBE) that brought the resolution to the parliament, said the idea was to keep the pressure on institutions to make sure the deal was watertight.

Pointing to legal challenges already launched at the deal, he told The Register it was "negligent" to allow it to fall entirely to the Court of Justice of the European Union.

"We don't believe in its current form that it is adequate yet, and the main consequence of that is that the court of justice may well invalidate the decision," he said. "Following Safe Harbor – and the time that has elapsed since then – we can't afford to have that happen again."

Moraes is clear that the MEPs aren't pushing for the deal to be scrapped without due consideration – rather they want to use their influence in the EU to emphasise the problems that haven't been fully addressed.

Among these is how US authorities will enforce the deal, especially since it allows companies to self-certify – some 3,689 have to date – and even the commission has called for more proactive and regular monitoring of compliance.

Yep, Facebook and Cambridge Analytica covered themselves in Privacy Shield... and stayed on the list – MEPs

And there's one obvious example that MEPs were keen to raise: both Facebook and Cambridge Analytica were registered and stayed on the list (CA's participation has since lapsed, which is unsurprising given its bankruptcy filings).

Moraes argued that removing them from the list "would have contributed to enhance the trust of individuals and the credibility of the system", but added that a recent meeting with the Federal Trade Commission (which enforces compliance with Privacy Shield terms) was satisfied the reason was not that Facebook was too big to take on.

For its part, an FTC spokesman told El Reg that it takes enforcement "very seriously" and pointed out it had brought four cases related to Privacy Shield since it went into effect.

Omer Tene, veep of the International Association of Privacy Professionals and a member of Privacy Shield's arbitration panel, noted that the complaints procedure has a clear escalation process.

"To the best of my knowledge, there hasn't been a single such case [referred from the European DPAs to the FTC], so before pointing fingers at the FTC for lack of enforcement, it's worth asking whether there have been any complaints," he said.

The commission said that how the FTC and Department of Commerce works with EU DPAs, how companies are certified and monitored, and what mechanisms companies have for speedy handling of complaints will all be assessed in the second annual review.

Attitude shifts make second review all the more crucial

However, one thing that's inescapable is how much the tides have turned since the last annual review.

The Facebook saga brought privacy to the public's attention and got big tech firms hot under the collar; the General Data Protection Regulation came into force; and California's privacy law turned up the heat on Washington.

"The incredible shift in policy stance over the past few months has been astonishing," said Tene. "If you looked at this last year, anyone would tell you there was a slim chance of the US actually pursuing federal privacy legislation. Now, it looks like it may be even a likely development this year."

Buttarelli agreed, saying that the "debate of the '80s and '90s over regulation versus self-regulation is now really old fashioned", while Jelinek said that US policymakers needed to take notice of this paradigm shift "and step up their efforts to make reforms".

And change isn't just happening in the US – other countries are now drawing up data adequacy deals with the EU; Japan concluded talks in July, while South Korea is also in the pipeline.

For Buttarelli, this makes Privacy Shield's second annual review – slated to take place on 18-20 October – even more crucial.

"The second review is much more important than the first one," he said. "It's relevant because of other adequacy decisions – we need to make sure the right precedent is set, because otherwise any law enforcement or intelligence services around the world can say, why not me?" ®