The concerns over mass surveillance and oversight expressed Wednesday in the Article 29 Working Group (WP29) opinion on the Privacy Shield pact forged by the EU and the U.S. as a replacement for Safe Harbor aren't expected to prevent the agreement from being approved by the EU – with or without modifications – but most likely will guarantee that it will face judicial challenges in the future.
WP29 wrote in its much-anticipated opinion that the proposed accord showed progress by establishing privacy protections, but still doesn't adequately address the chief issue that got Safe Harbor tossed by a European Court of Justice – mass surveillance of private citizens.
Aaron Tantleff, an intellectual property partner at law firm Foley & Lardner LLP, told SCMagazine.com, that the group's assessment came as no surprise, not because the policy itself is lacking but “because of the way it has been playing out in public. Look at why Safe Harbor was rejected.”
Noting that mass surveillance was the “cornerstone” of the European court's rejection of that agreement, Tantleff said WG29 would obviously have the same concerns with Privacy Shield if it did not adequately address that issue.
While WP29 applauded the “limitations overlain” by Presidential Policy Directive 28 (PPD-28) – designed to lay down principles for U.S. signals intelligence activities for the purpose of authorized foreign intelligence and counterintelligence – the group said “it is difficult to consider whether the U.S. legal framework for surveillance is sufficiently foreseeable, i.e. contains ‘adequate indication[s] as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures.'”
Global corporations like Microsoft, whose vice president of EU affairs, John Frank, urged in a Monday blog that the agreement be approved, and Google depended on Safe Harbor to provide the guidelines and obligations for acceptable data transfer until a European Court of Justice in Ireland invalidated the agreement after a challenge by Maximillian Schrems.
Disturbed by revelations from Edward Snowden regarding cooperation between the National Security Agency (NSA) and social media companies, Schrems lodged a complaint that his personal data was being unlawfully processed by Facebook in the U.S. In its widely anticipated ruling, the court agreed. “The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data,” Yves Bot, the court's advocate general, said in his opinion.
After some hiccups and scares, notably a late adoption by U.S. lawmakers of the Judicial Redress Act, which provides citizens of major U.S. allies a course of redress regarding information shared with U.S. law enforcement, the EU and the U.S. were able to meet the court's mandate and reach an agreement to replace Safe Harbor.
But while the Privacy Shield generally encourages European businesses to be measured and conservative when sharing data with U.S. entities, critics have claimed the policy is still rife with exceptions when it comes to sharing information with U.S. law enforcement. And privacy advocates argue that the new framework serves more to clarify the U.S.'s position on digital surveillance rather than actually place tighter, Euro-centric restrictions on the practice. The Federal Bureau of Investigation's (FBI) hot pursuit of Apple's aid in cracking an iPhone used one of the San Bernardino shooters has bolstered fears that the U.S. government has no compunction about stepping on privacy in favor of national security.
WP29's criticism of the agreement was widely expected after excerpts from the group's opinion leaked late last week clearly indicated that the group wasn't prepared to embrace Privacy Shield without some significant modifications. Indeed, the regulators put forth a number of recommendations that they would like to see in the finalized version of Privacy Shield, including, Tantleff said, a review in two years to see how the pact gibes with the General Data Protection Regulation (GDPR), which the EU adopted Thursday with a two-transition period, and clarification of the role of an ombudsman to be appointed by the U.S.
In early March a senior Commerce Department official underscored the criticality of the ombudsman position within the State Department to hear European citizens' challenges against U.S. acts of surveillance, calling it “a very important part of the package.” In addition, Hildebrand contended that a letter (included in Annex 3 of the Privacy Shield) to European Justice Commissioner Vera Jourova, Secretary of State John Kerry “does a pretty good job of laying out what they expect ombudsman to do.”
The sheer number of moving parts that make up the global privacy landscape – from Privacy Shield to GDPR implementation to an impending decision by the European Court of Justice (ironically, the same one that invalidated Safe Harbor) over the legality of mass surveillance – and their timing have created a certain confusion.
“They're leapfrogging over each other,” said Hildebrand, noting that GDPR allows for a two-year transition and WP29 feels that Privacy Shield “doesn't have mechanism for accommodating GDPR in two years time.”
Indeed, the WP29 noted “that the Privacy Shield does not yet reflect the future situation” since it leaves out “new notions like the right to data portability and additional obligations on data controllers, including the need to carry out data protection impact assessments and to comply with the principles of privacy by design and privacy by default.”
That most certainly assures modifications further down the road. “One thing that actually did surprise me, or that I found interesting, is the inconsistency in Privacy Shield and GDPR,” Tantleff said, contending that the Privacy Shield “is going to be a moving target by Spring.”
And the European Court of Justice's decision on the legality of mass surveillance could also be a game-changer. If the European court “rules it's legal, then that will diminish the significance of this argument,” he said.
Regardless of what WP29 may have to say, that “one sticking point” will be resolved by the Court, said Omer Tene, vice president of research and education at the International Association of Privacy Professionals (IAPP).
Experts expect the pact to move toward approval with or without accommodating the WP29's recommendations. Though the group is, according to Dana Simberkoff, chief compliance and risk officer at AvePoint, “influential,” its opinion is non-binding. There is also a tremendous amount of economic pressure from global companies and even certain European jurisdictions that host their European operations.
Ultimately, he said, “there's too much pressure for this to go back,” said Tantleff.
Indeed, corporations and tech interests have clarified as much.“The agreement has achieved widespread support on both sides of the Atlantic from many policymakers, businesses, and advocacy groups for offering an opportunity to move forward,” Information Technology and Innovation Foundation (ITIF) Vice President Daniel Castro, said in comments sent to SCMagazine.com that acknowledged the importance of WP29's ongoing suggestions. “A prolonged climate of regulatory uncertainty places unnecessary strain on the digital economy, hurting businesses, workers, and consumers.”
Even “the GDPR coming into force [won't] automatically disrupt continuation of the Shield,” because, Tantleff said, “Privacy Shield is GDPR-ready; it was negotiated against the backdrop of GDPR.”
Castro said Privacy Shield should be used as a foundation for strengthening privacy going forward, noting that the agreed-to annual reviews offer ample opportunity to make modifications.
So does the judiciary, where many of Privacy Shield's shortcomings and concerns are likely to be addressed. “There certainly will be a judicial challenge,” said Tene.
Though the pact has its shortcomings, even the WP29 acknowledged that Privacy Shield presents some strong obligations for companies.
“I am relieved that they left in data transfer mechanisms,” such as model contracts (MCs) and binding corporate resolutions (BCRs) found in Safe Harbor, said Hildebrand.
“At end of day, they're still saying that standard contractual clause and binding corporate resolutions are still valid, so [companies should] use those,” said Tantleff. “While other issues still need to be address, people should take advantage of that.”
But while those mechanisms offer a route for B2B companies – particularly large multinationals with the resources to hammer out those agreements quickly, businesses that cater to consumers will have a rougher go.
“What about all businesses in U.S. that deal with individuals?” said Hildebrand. “They are the ones I think are most affected by Privacy Shield. Or won't stand up to judicial challenge.”
An “unambiguous, informed consent” derogation in the agreement will leave marketers in a tizzy as they are forced to move from an “opt out” to an “opt in” model. “From a marketing standpoint, that's a lot of clicks,” said Hildebrand. “That's not a practical solution. So, they're probably the ones most disappointed in this [WP29] opinion.”
But the requirements bolster the case for companies being better caretakers of the information they gather and use.
“Privacy protection is important, but being a good data steward” trumps it, said Tantleff.
Companies will have to step up and be “transparent about what data collect, how they collect it and what do with it” and who they share it with, Simberkoff said. “You get into trouble when you're not clear or don't know what your intentions are with data.”
Those and other issues, she said, will be sorted out as companies begin to comply with Privacy Shield and shouldn't prevent the accord from being approved.
At the end of the day, because the economy is global, “it doesn't do anyone any good to delay these things,” said Simberkoff. “Realistically, companies not going to stop doing business in Europe. You can't let perfect be the enemy of good.”