EU/US Say They’ve Agreed To A New Privacy Shield That Doesn’t Seem To Deal With Any Of The Problems Of The Old One – Techdirt

from the lipstick-on-a-dead-pig dept

Last week, the EU and the US announced something important that sounds pretty boring a new privacy shield agreement. You should know its important, because in the midst of dealing with everything else, including the Russian invasion of Ukraine, President Biden actually made a public statement with European Commission President Ursula von der Leyen to announce it (in a speech that also included talk about the Russia/Ukraine situation). Here was the key bit:

And Im proud to announce that weve also reached another major breakthrough in transatlantic data flows. Privacy and security are key elements of my digital agenda.And today, weve agreed to unprecedented protections for data privacy and security for our citizens.This new agreement will enhance the Privacy Shield Framework; promote growth and innovation in Europe and the United States; and help companies, both small and large, compete in the digital economy.Just as we did when we resolved the Boeing-Airbus dispute and lifted the steel and aluminum tariffs, the United States and the EU are finding creative, new approaches to knit our economies and our people closer together, grounded on shared values.This framework underscores our shared commitment to privacy, to data protection, and to the rule of law. And its going to allow the European Commission to once again authorizetransatlantic data flows that help facilitate $7.1 trillion in economic relationships with the EU.

A little history if you dont follow this too closely. For years, the US and the EU had a privacy safe harbor setup, by which US internet companies were allowed to collect some data on EU users by agreeing to live up to certain standards. What this meant in practice was that every US internet company had to hire some random privacy auditor in the EU who would bless you with some sort of compliance statement. It was kind of a boondoggle (and, yes, we had to go through it ourselves).

Back in 2015, privacy advocate/perpetual thorn in the side of companies who collect data, Max Schrems, successfully challenged the legality of this agreement at the EU Court of Justice. What the EUCJ said in scrapping the privacy safe harbor agreement was that the NSAs PRISM program (exposed by Ed Snowden, and involving pressuring US internet companies to cough up information on users) violated the safe harbor.

Suddenly, it became unclear if US internet companies even could continue to collect data from EU users. There was a lot of scrambling, and in early 2016, the EU and the US announced a new privacy safe harbor, with the catchier name Privacy Shield. However, as we noted at the time, considering that the US refused to end the NSAs collection program under Section 702 of the FISA Amendments Act, it didnt seem possible that the new agreement would survive a challenge.

And, indeed, Schrems challenged the Privacy Shield again, and once again, in 2020, the EU courts rejected the Privacy Shield. In that decision, it continued to call out NSA surveillance, including executive order 12333, which, as weve noted, is actually the main source of the NSAs foreign surveillance powers, and (according to some) not subject to Congressional review.

So, now, the US and the EU claim theyve come up with a new Privacy Shield framework that will allow the data to flow freely across the Atlantic. But I dont see how thats possible. Because 12333 still exists. And, back in 2018, Congress renewed Section 702 of the FISA Amendments Act. So the two biggest reasons why the EUCJ has rejected these agreements two giant NSA spying programs still exist. I dont quite see how any new agreement is going to get around that without significantly modifying the NSAs surveillance program.

Schrems seems, lets say skeptical.

We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move. It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter.

The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.

It is regrettable that the EU and US have not used this situation to come to a no spy agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.

While US tech companies have been celebrating the deal, they really shouldnt bother. Its hard to see how this survives another round in court, until the NSA has its wings clipped.

Filed Under: eo 12333, eu, executive order 12333, fisa amendments act, joe biden, max schrems, privacy, privacy safe harbor, privacy shield, section 702, surveillance, ursula von der leyen, us

Go here to read the rest:
EU/US Say They've Agreed To A New Privacy Shield That Doesn't Seem To Deal With Any Of The Problems Of The Old One - Techdirt