What the US-EU Privacy Shield Does and Does Not Do
Fueled by the exchange of private information over the web, the modern global economy has raised concerns about the risk that information stored and transmitted over cyber networks can be abused by companies and become readily available to US intelligence and law enforcement agencies. To allay these concerns, after two years of difficult talks, the United States and the European Union signed the Privacy Shield pact on July 12, 2016, aimed at protecting individual privacy while meeting the legitimate needs of companies and the government’s war on terrorism.
According to the US Commerce Department, the pact “provides a set of robust and enforceable protections for the personal data of EU individuals,” including “transparency regarding how participating companies use personal data, strong U.S. government oversight, and increased cooperation with EU data protection authorities.”
In the protracted Privacy Shield negotiations, President Barack Obama’s administration got the balance right between three communities—US multinational corporations (MNCs), US intelligence agencies, and EU citizens—regarding the transfer of personal data from Europe to the United States. While the Privacy Shield reflects a reasonable compromise between legitimate competing interests, its provisions are unlikely to provide a template for future negotiations with other players in the world trading system.
Privacy Shield negotiations were triggered by the revelations of former US intelligence contractor Edward Snowden in 2013, which had a big impact in the United States and an even bigger impact in Europe. In the collective European mind, the National Security Agency’s (NSA) surveillance techniques were conflated with alleged intrusions into personal privacy by the likes of Facebook, Google, Amazon, Apple, and Microsoft. Europeans worried that the NSA was listening in on private conversations and that American corporations were using personal data to promote unwanted wares.
European privacy advocates claimed too much hanky-panky was underfoot and brought the Maximillian Schrems v. Data Protection Commissioner case to the European Court of Justice (ECJ) in 2013. The ECJ decided this case by tossing out the Safe Harbor Principles, which had been adopted in 2001 and allowed US firms that signed up (some 4,500) to transport personal data digitally across the Atlantic. The ECJ decision cast a giant cloud over $250 billion annually of transatlantic trade in digital services.
MNCs, Intelligence, and Citizens
According to McKinsey Global Institute, cross-border data flows have expanded 45 times since 2005, with far more growth ahead. This is the brightest spot in an otherwise bleak outlook for world commerce. While the free flow of data produces many opportunities for individuals, business firms, and the society, it also raises concerns about personal privacy on a scale that has never been experienced before. US MNCs, intelligence agencies, and EU citizens will all benefit from the new Privacy Shield requirements and enforcement procedures.
The Privacy Shield pact requires US firms that want to transfer EU personal data to the United States or other locations to enter into a contractual agreement with the Commerce Department containing model clauses, or, as an alternative, adopt corporate rules that adhere to Privacy Shield principles. The Federal Trade Commission and Commerce Department investigations, capped by an EU dispute settlement system, give the pact teeth, allowing EU citizens who feel their privacy has been breached to seek redress. The Privacy Shield will be strengthened by the EU General Data Protection Regulation when it takes effect in May 2018.
The NSA ducked a huge threat to its operational freedom emanating from the Snowden affair. No one wants terrorists to escape detection, especially in the new era of strong encryption. Nor do they want fraudsters and violent criminals to roam the internet. As for NSA intrusions, the Privacy Shield pact restates limits on bulk data collection announced in a Presidential Directive (“only when essential”) and creates an ombudsman office in the State Department to investigate European complaints. But the ombudsman cannot do more than report that everything is fine or that an undisclosed remedy has been put into effect.
Nevertheless, some privacy advocates in Europe and the United States want still greater protection from corporate abuse and intelligence surveillance. Very likely European advocates will challenge the Privacy Shield in the ECJ given critical reports written by the Article 29 Working Party and EU Data Protection Supervisors (EDPS). The pact confers no additional benefits on US citizens, but in the wake of the Snowden affair Executive Order 122333, Presidential Policy Directive 28, and the Judicial Redress Act of 2015 all enhanced the personal privacy of Americans. It’s hard to see how more could be done without giving free rein to terrorists and a wide assortment of online criminals.
Models for the WTO
As privacy protection and e-commerce are becoming global concerns, it is time for members of the World Trade Organization (WTO) to consider a new multilateral agreement on e-commerce and privacy protection. The Privacy Shield provisions would likely be challenged in future negotiations with other trading partners. The Trans-Pacific Partnership’s Chapter 14 on E-Commerce (see Branstetter 2016) appears to be a more suitable model for WTO members to adopt rather than the Privacy Shield pact, for two reasons. TPP Chapter 14 avoids limiting activities of national intelligence agencies and strongly encourages countries to allow the free flow of data. By contrast, terms of the Privacy Shield pact may exceed the capacity of WTO members since the terms require privacy enforcement mechanisms directed at firms (not just governments) as well as limitations on the investigative activities of intelligence agencies.
This blog is a condensed version of the Policy Brief 16-12, “The US-EU Privacy Shield Pact: A Work in Progress.”