It seems that Edward Snowden was right on the money with his views on the EU-US Privacy Shield Pact. The whistleblower hero (or traitor, depending on who you ask) pulled no punches with his quick and strident criticism coming immediately after the announcement of the trans-atlantic agreement. And Snowden was far from alone in his criticism directed largely at the complicity of the European Commission in the pact, with prominent MEPs and privacy activists also voicing their concerns.
And now, those criticisms have gained fresh credence with the observations made by the EU’s top watchdog on data privacy and protection. In a development that is certain to heap the pressure on negotiators from the US and EU, the European Data Protection Supervisor (EDPS) Giovanni Butarelli has called for “significant improvements” in the Privacy Shield Pact, stating that the shield was not “robust enough to withstand future legal scrutiny”.
The EDPS is an independent statutory authority which advises EU agencies on issues of data privacy. Though the survival of the Privacy Shield agreement is not under threat right now, the words Mr Butarelli carry a clear warning for its future. It is not hard to read the allusions to the fate of its predecessor, the Safe Harbor agreement, in his words.
The Safe Harbor agreement was a direct casualty of the Snowden wikileaks revelations. The allegations of indiscriminate surveillance and collection of private data from EU citizens by US security agencies, using programs like PRISM, proved fatal for the 15 years old agreement. In October 2015, a decision by the EU top court on the Max Schrems case effectively rendered it invalid, citing its massive inadequacies in guaranteeing the privacy of EU citizens’ data held on US soil by American tech companies.
Constant and massive data flows are an integral part of modern business. A data privacy protection agreement such as Safe Harbor is crucial to the smooth functioning of modern international business and trade relations. Without such pacts, US companies cannot not legally transfer EU customer data to their US servers. The spectre of billions of dollars worth of losses to thousands of businesses (mainly American), had spurred the negotiators on both sides to draft a replacement treaty within months after Safe Harbor agreement was struck down.
But the European Commission’s hasty acquiescence to the provisions of the Privacy Shield pact seems to have backfired. Based on negative reaction from activists and regulators, the Shield pact, if left in its current avatar, would surely be challenged in EU courts sooner or later. And with the more stringent General Data Protection Regulations coming into effect in the EU in 2018, it is not hard to envision a verdict similar to the one arrived at in the Schrems case.
If they are really serious about a long-term data protection pact, both US and EU have no recourse at present other than to get back on the negotiating table and address the concerns raised by major stakeholders in the EU. Meanwhile, a cloud of uncertainty will continue to hang over bilateral business relations between the two economies, benefiting nobody.