Third time lucky? EU and US open Privacy Shield talks

The European Commission and the US Department of Commerce have opened top level talks on yet another transatlantic data transfer deal – perhaps to be dubbed Privacy Shield 2.0 – following last month’s EU Court of Justice ruling that the existing pact was invalid.

Privacy Shield was itself a replacement for the Safe Harbour agreement, which was also ruled invalid in 2015 following the now notorious US spying scandal exposed by former CIA operative Edward Snowden.

Austrian lawyer and privacy campaigner Max Schrems took up the original case with the ECJ and again for “Schrems II”, during which he successfully argued that Privacy Shield carried the same risks of US spying.

At the time, Schrems said: “I am very happy about the judgment. It seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.”

Until last month, Privacy Shield was used by 5,400 of the world’s biggest companies, including Facebook, Amazon, Google, Experian, Acxiom, LinkedIn and Microsoft to transfer data from the EU to the States.

Now they have been forced to set up either binding corporate rules or standard contract clauses to continue to transfer data; however, some argue these are also far from watertight.

Mishcon de Reya Partner Adam Rose recently commented: “There must now be serious questions as to whether any transfers to the US can be valid. As a result of [the Schrems II ruling], the binding corporate rules regime used by some of the world’s biggest international groups must now also be open to challenge. Data protection authorities (such as the ICO) must also intervene to stop transfers under standard contract clauses which are made to countries without an adequate level of protection.”

Even so, it seems that both Brussels and Washington are keen to go “once more unto the breach, dear friends, once more”.

A joint statement by US Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders reads: “[We] have initiated discussions to evaluate the potential for an enhanced EU-US Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case.

“This judgment declared that this framework is no longer a valid mechanism to transfer personal data from the European Union to the United States.

“The European Union and the US recognise the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies. We share a commitment to privacy and the rule of law, and to further deepening our economic relationship, and have collaborated on these matters for several decades.

“As we face new challenges together, including the recovery of the global economy after the Covid-19 pandemic, our partnership will strengthen data protection and promote greater prosperity for our nearly 800 million citizens on both sides of the Atlantic.”

The move has been greeted with scepticism on Twitter, with industry experts coming up with their own hashtags to describe the move, including #BastardSonofShield and #ChocolateTeapot2.

Privacy and data protection specialist Emerald de Leeuw wrote: “Are we really doing another Privacy Shield?”, to which Castlebridge managing director Dara O’Brien replied: “Ah… I know what this is… they are following the Sony PlayStation naming convention: We’ve had PS1. Next PS2. Then PS3.”