Already Under Attack In Top EU Court, Privacy Shield Framework For Transatlantic Data Flows Further Undermined By Trump

from the you're-not-really-helping-things,-Donald dept

Mon, Jan 30th 2017 3:43am — Glyn Moody

A year ago, Techdirt wrote about the melodramatically-named "Privacy Shield." Under EU data protection laws, the transfer of EU citizens' personal data is only legal if the destination country meets certain basic conditions for data protection. Signing up to Privacy Shield is designed to allow US companies to meet that requirement. The earlier framework, called "Safe Harbor," was thrown out by the EU's highest court, the Court of Justice of the European Union (CJEU), largely because of NSA spying on data flows. Privacy Shield was hurriedly cobbled together because, without it, the vast flows of data across the Atlantic that occur all the time would be much harder to square with EU laws.

However, since the NSA has not stopped spying on data flows, some in the EU feel that Privacy Shield offers as little protection for personal data as Safe Harbor. This led the Irish civil liberties group Digital Rights Ireland (DRI) last October to ask the EU's General Court -- one of the more obscure courts of the CJEU -- to annul the Privacy Shield framework, arguing that it too lacks adequate privacy protections. Although there are still some procedural matters to be settled first, largely to do with whether DRI has standing to bring this legal action, the case is considered a serious enough challenge to the Privacy Shield framework that the US government is getting involved directly:

The US government has applied to be an intervening party in a challenge by Irish privacy campaign group Digital Rights Ireland against the Privacy Shield transatlantic data transfer pact.

As the article from the Irish Times explains, the US is not alone: also keen to see the framework upheld are the British, Dutch, and French governments, as well as Microsoft and the Business Software Alliance, all of whom have applied separately to join the action. DRI's basic argument is the following:

In questioning Privacy Shield's adequacy, it says its provisions are not actually fixed in US law. The privacy group will also argue that the agreement neither adequately addresses the court's specific objections to Safe Harbour, nor protects citizens' rights provided for under the EU Charter of Fundamental Rights and by the general principles of EU law.

The DRI's case may have just received a boost from an unusual quarter. As Techdirt reported, the President of the United States has signed an executive order that strips those who are not US citizens of certain rights under the Privacy Act. A spokeswoman for the European Commission told TechCrunch that Privacy Shield "does not rely on the protections under the US Privacy Act." But Jan Philipp Albrecht, a Member of the European Parliament, and the leading expert on data protection regulation there, is not so sure that the framework will escape unscathed. He wrote in a tweet that:

If this is true [about the stripping of privacy protections] @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement.

The "EU-US umbrella agreement" refers to another recently-agreed deal that puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation. The long thread that follows Albrecht's tweet explores to what extent the Privacy Shield framework is likely to be impacted by the new executive order. There's no clear consensus yet on that. But one thing is for sure: the general thrust of Trump's order probably indicates a broader shift in policy that makes it more likely that the CJEU will strike down Privacy Shield just as it struck down Safe Harbor.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: donald trump, eu, privacy, privacy act, privacy shield, safe harbors, us

21 Comments

If you liked this post, you may also be interested in...

Reader Comments

The First Word

“

As the article from the Irish Times explains, the US is not alone: also keen to see the framework upheld are the British, Dutch, and French governments, as well as Microsoft and the Business Software Alliance, all of whom have applied separately to join the action.

They say you can judge a man by the company he keeps. I say it's not just men. If Microsoft and the BSA (a notorious Microsoft front group whose main purpose in life is promoting the progress of copyright abuse, particularly by Microsoft) think it's such a good idea, that's at the very least, a good reason to wonder if we might not be better off without it.

—Mason Wheeler

”

Subscribe: RSS

View by: Time | Thread

That One Guy (profile), 30 Jan 2017 @ 2:06am

"But it's different, we're the Good Guys!"
The earlier framework, called "Safe Harbor," was thrown out by the EU's highest court, the Court of Justice of the European Union (CJEU), largely because of NSA spying on data flows.

...

However, since the NSA has not stopped spying on data flows, some in the EU feel that Privacy Shield offers as little protection for personal data as Safe Harbor.

Any 'framework' should assume that the NSA can and will grab everything it possible can, showing absolutely no restraint whatsoever in it's obsession and 'Collect it all' mindset, and move on from there, because at this point I'd say it's probably safe to assume that the NSA will never voluntarily stop scooping up everything it can get.

Unless the NSA is forced to stop(and at this point I don't think anything less than dissolving the agency entirely would accomplish that) they will completely and utterly ignore and 'privacy' and 'personal data' rules, because why wouldn't they?
[ link to this | view in chronology ]
a swiss guy (profile), 30 Jan 2017 @ 4:20am

... one of the more obscure courts of the CJEU ...
Funny classification. Have a look:
https://en.wikipedia.org/wiki/Court_of_Justice_of_the_European_Union
[ link to this | view in chronology ]
Cowardly Lion, 30 Jan 2017 @ 4:22am

And another thing
I love how there's a question over whether the DRI has legal standing: "whether DRI has standing to bring this legal action". You know like, how dare an Irish organization challenge a European Union arrangement.

And I love how the USA feels totally free to blunder just right on in, like everyone else should just give a crap: "The US government has applied to be an intervening party in a challenge by Irish privacy campaign group Digital Rights Ireland". Because Screaming Eagles.

Team America World Police. It's a thing.
[ link to this | view in chronology ]
- Anonymous Coward, 30 Jan 2017 @ 4:35am
  
  Re: And another thing
  "And I love how the USA feels totally free to blunder just right on in, like everyone else should just give a crap: "
  
  "Other countries that have applied to join the case include France, the UK and the Netherlands.
  
  Microsoft and the Business Software Alliance, which represents the global software industry, have separately applied to join the action."
  
  Looks like Team France, UK, and Netherlands are joining the fray. Lets toss in Team Microsoft and the GLOBAL Business Software Alliance" for good measure.
  
  Should anyone give a crap about these?
  [ link to this | view in chronology ]
- That One Guy (profile), 30 Jan 2017 @ 4:56am
  
  Re: And another thing
  And I love how the USA feels totally free to blunder just right on in, like everyone else should just give a crap: "The US government has applied to be an intervening party in a challenge by Irish privacy campaign group Digital Rights Ireland". Because Screaming Eagles.
  
  Team America World Police. It's a thing.
  
  It gets even better when you consider that it was a USG agency that was responsible for 'Safe Harbor' being thrown out, and now 'Privacy Shield' being challenged.
  
  The NSA's 'Collect it all' fetish undermined the first to the point that it was tossed, and now it's doing the exact same thing again with the replacement, and yet the US is filing in defense of the thing, in which I have no doubt that they'll completely ignore the NSA's role and go on and on about how the DRI is making mountains out of molehills, because if there's one thing the USG and it's agencies value and hold sacred above all other things it's the privacy of non-US citizens.
  [ link to this | view in chronology ]
  - Anonymous Coward, 30 Jan 2017 @ 4:59am
    
    Re: Re: And another thing
    Should we lump in France, the UK, and the Netherlands as well? Lets give equal players equal under the buss time no?
    [ link to this | view in chronology ]
    - That One Guy (profile), 30 Jan 2017 @ 5:29am
      
      Re: Re: Re: And another thing
      The UK's NSA equivalent(GCHQ I think it was?) certainly displays the same level of 'respect' towards privacy(and right, and laws, and anything that might otherwise prohibit them from doing whatever they want...) that the NSA does, but given the Safe Harbor and now Privacy Shield deal with data going between Europe and the US I'm not sure how much impact their actions would have towards Safe Harbor/Privacy Shield, though the cozy relationship between them and the NSA certainly doesn't help.
      
      Don't know enough about the French and Netherlands equivalents to say either way, but again, both of those are European countries so probably not much impact in this case.
      [ link to this | view in chronology ]
      - Anonymous Coward, 30 Jan 2017 @ 5:33am
        
        Re: Re: Re: Re: And another thing
        I'm just thinking that it appears people are bashing the U.S. over this, when in reality they are just one of many players. Doesn't seem fair to me.
        [ link to this | view in chronology ]
        
        That One Guy (profile), 30 Jan 2017 @ 5:47am
        
        Re: Re: Re: Re: Re: And another thing
        Given the NSA's actions seems to have been a driving force in both, I don't think any 'USG bashing' is unwarranted here. If the NSA hadn't been caught grabbing everything they could get the original Safe Harbor likely would have been seen as plenty.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 30 Jan 2017 @ 5:53am
        
        Re: Re: Re: Re: Re: Re: And another thing
        "I don't think any 'USG bashing' is unwarranted here."
        
        Well, my point was lets just remember the USG is not alone. This train was moving before the US got on, and again they are only one of MANY players involved.
        [ link to this | view in chronology ]
        
        That One Guy (profile), 30 Jan 2017 @ 5:59am
        
        Re: Re: Re: Re: Re: Re: Re: And another thing
        They're not the only ones openly displaying contempt for those pesky 'rights' and 'laws' and concepts like 'privacy', no, not hardly, but in this case a US agency seems to hold the most blame for what has and continues to happen due to the European-US nature of the issue that makes the NSA's actions of more immediate impact, even if other European agencies are just as bad in general.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 30 Jan 2017 @ 6:46am
        
        Re: Re: Re: Re: Re: Re: Re: Re: And another thing
        Governments are the tools of your corporate overlords, bought and paid for they are.
        [ link to this | view in chronology ]
        
        orbitalinsertion (profile), 30 Jan 2017 @ 2:49pm
        
        Re: Re: Re: Re: Re: Re: Re: And another thing
        The challenged agreement is between the US and EU. The spying of other parties is not even relevant. The USG is making it impossible, and that is the problem for the agreement.
        [ link to this | view in chronology ]
- Wyrm (profile), 30 Jan 2017 @ 9:08am
  
  Re: And another thing
  It's a US-EU agreement being challenged, so I'd say they have a good reason getting involved. Particularly since it's being challenged because of its behavior.
  
  That's one if the rare cases where I find it legitimate for the USA to get involved.
  [ link to this | view in chronology ]
I.T. Guy, 30 Jan 2017 @ 6:15am

I think I now know how Germans felt when a certain crazed lunatic came to power. It's like watching a train come barreling toward you and not being able to move.
[ link to this | view in chronology ]
- Anonymous Coward, 30 Jan 2017 @ 6:25am
  
  Re:
  Some Germans. As understand it, he was actually quite popular when he came to power.
  [ link to this | view in chronology ]
- Anonymous Coward, 30 Jan 2017 @ 6:46am
  
  Re:
  Well, even Thingiverse is getting political.
  [ link to this | view in chronology ]
Anonymous Coward, 30 Jan 2017 @ 6:16am

Window Dressing
The agreements have been violated in the past and the data didn't stop flowing. They'll be violated in the future and it won't stop flowing. This is all just window dressing.
[ link to this | view in chronology ]
Anonymous Coward, 30 Jan 2017 @ 6:28am

No, no entity is entitled to an individuals data however unobrusive it may be, without the consent of that individual

Thats not how the world works

Thats, HOW, the world should work

Defeatism leads to subserviance, when we should be argueing their right to our data, our information, our lives, so called supporters of human rights are talking about the best way to implement it in a minimised form. Its the INITIAL implementation thats wrong and dangerous, you accept it, it gets normalised in our lives, then they push the envelope further

The saying "give them an inch, and they take a mile" comes to mind

I wonder if the future generations were offloading this on, will be just like us, or evolved enough to rightly wonder why the fuck we just watched while it happened, those that cared enough to notice, those that noticed but didnt care, not to mention the mentality of the crazies actually driving the crazy bus down to crazytown, you now, the too big to jail folks

One mans leader is another mans tyrant

Theres a reason why the americans constitution makes mention of non interference..........to minimize the risk of the tyrant fork on the road our leaders will inevitably come across.......at least in this day and age

History lesson
1-We learn something profound through hardship
2-Humans look forward
3-Time passes
4-We forget that something profound
5-Humans stall, or go backwards
6-Hardship makes us relearn why number one was profound
7-Goto number 2

Its why, in one particular case, some folks decided to make a sticky note of some of it, and then proceeded to call it a constitution or bill of rights, to protect and as im realising, remind future generations that didnt go through the hardships that created it, or fail to recognise the signs of an overbearing government, or its next entity slogan change

Im disatisfied......can you tell
[ link to this | view in chronology ]
Mason Wheeler (profile), 30 Jan 2017 @ 6:57am

As the article from the Irish Times explains, the US is not alone: also keen to see the framework upheld are the British, Dutch, and French governments, as well as Microsoft and the Business Software Alliance, all of whom have applied separately to join the action.

They say you can judge a man by the company he keeps. I say it's not just men. If Microsoft and the BSA (a notorious Microsoft front group whose main purpose in life is promoting the progress of copyright abuse, particularly by Microsoft) think it's such a good idea, that's at the very least, a good reason to wonder if we might not be better off without it.
[ link to this | view in chronology ]
- Anonymous Coward, 30 Jan 2017 @ 8:08am
  
  Microsoft (and other companies) are in it for convenience
  It is far more economical for them to keep all the data in one country and have Privacy Shield or an equivalent as legal approval to move all the data to that country, than it is for them to operate data centers positioned to abide by the privacy laws that Privacy Shield overrides. If Privacy Shield is struck down and not replaced, then data that Microsoft (and other companies) currently transfer out of the EU as an ordinary part of business would instead be required to stay, if not within EU borders, then at least outside US borders. It's much easier and cheaper for them to intervene and have this challenge struck down than to change their business model to account for more restrictive privacy rules. In particular, some parts of their business may require more than just standing up region-isolated data centers. If their current design assumes that all data centers can always talk to all others (barring transient network errors), and the new laws preclude that, then they not only need to build and staff new data centers, but also change how the software works.
  [ link to this | view in chronology ]