The EU/US new ‘Privacy Shield’. Why the cure is worse than the disease

On 10 July 2023, in a document of over 190 pages, the European Commission tries for the third time to solve an unsolvable problem: that of allowing the exchange of personal data with the USA, ‘accused’ of not offering adequate protection to the data of European citizens that are processed, in various ways, by North American companies by Andrea Monti – Initially published in Italian by Italian Tech – La RepubblicaThe news brought (more than) a sigh of relief to all companies based in the EU that are linked, in one way or another, to Big Tech but, in reality, there is little to rejoice about because even this new version of the ‘privacy shield’ is destined not to last very long. Like its two previous incarnations, in fact, this act does not solve the fundamental problem that plagues relations between the EU and the US: that of the possibility for American governmental agencies to do (rightly) what they want with the data of citizens of EU Member States.

Likely, therefore, in some time, after the European Court rulings known as ‘Schrems I‘ and ‘Schrems II‘ had dismantled the Commission’s previous decisions, a ‘Schrems III’ will do the same to the new text, again causing fear, uncertainty and doubt in the public and private ecosystem that relies on Big Tech, as well as slowing down the digital transition.

Civil services and companies, in fact, will continue to operate under the Sword of Damocles of some judicial measure or issued by some national court or  data protection authority that could well find that the king is naked and bring down the fragile house of cards built by the European Commission.

To demonstrate the correctness of this statement it would be necessary to go into the technical-legal details of the adequacy decision but, at least here, this is not possible. Suffice it to recall, therefore, that both the European Parliament and the European Data Protection Board have not declared themselves enthusiastic about the agreement, pointing out (in particular the EDPB) that the knot to be unravelled remains that of the extension of the powers of American agencies that protect national security.

The Commission resorted to a regulatory technique that is also widely practised by other European institutions: writing texts of biblical length and comprehensible only to the cognoscenti, which then become definitive except by minor amendments (someone should look, for example, at how many pages the dossier on the AI Act consists of),  that did not help to circumvent the problem. However, the more than 190 pages were not enough to sweep the critical aspects of the measure under the carpet because, despite the efforts, the bulge is all too visible.

Thus, reading from a bird’s eye view, one need only stop at page 35 to discover that ‘U.S. intelligence agencies may seek access to such data for national security purposes … under the Foreign Intelligence Surveillance Act (Fisa) … Fisa contains several legal bases that may be used to collect … the personal data of Union data subjects transferred under the EU-U.S. DPF (Section 105 FISA222, Section 302 FISA223, Section 402 FISA224, Section 501 FISA225 and Section 702 FISA226)’. But it was precisely FISA (and in particular Section 702) that was one of the reasons that led the European Court to invalidate the predecessors of this decision. If, therefore, it was no good before, it is not clear why the opposite is the case now. Not to mention the CLOUD Act, the critical nature of which has been reported to the Italian Garante for almost a year now, without any news of taking care of the matter.

A little further on the same page, we read that ‘U.S. intelligence agencies also have possibilities to collect personal data outside the United States, which may include personal data in transit between the Union and the United States’. So, not only can US authorities access the data of citizens of EU member states that they have under domestic control, but they can also fetch them abroad (where, in other words, they have no jurisdiction and where the EU does not either).

That the US has spied on the institutions of European countries is not a news, and the fact that they can only do so (by golly) in the face of an Executive Order from the President does not change the fact that the EU (or rather, the individual member-states) have no say in the matter. If, then, one delves into reading the section devoted specifically to intelligence, one clearly understands that no matter how many rhetorical contortions one may try, there is no legal remedy available to non-UA citizen to scrutinise the actions of the national security bodies. On the other hand, and this is the real Achilles’ heel of the EU, no country (not the US, but not any other either) would accept a limitation of its internal sovereignty on matters that affect its survival or even existence. So, because this is what it is all about, thinking of solving a question of international relations with a legal instrument is like driving a nail with a screwdriver.

In practical terms, the reasoning translates into the observation that the EU Commission has only delayed the problem without solving it, but in doing so has created more troubles than it has eliminated. The implementation of the new ‘privacy shield’ (or whatever it will be called) is cumbersome, bureaucratic and costly and, at the same time, does not make it any easier for companies and public institutions to operate. Moreover, and perhaps this is the most serious thing, the adequacy decision ‘certifies’ that until yesterday no data could be exchanged with the USA and that, by logical deduction, those who did so probably broke the law. Hence two considerations: the first is to wonder where the national data protection authorities were and why they did not block these transfers, and the second is to wonder whether, having the decision being approved, they will now open wide-ranging investigations to sanction those who have used GAFAM’s services (and those of the many other US operators) up to now. Yes, because this decision does not ‘heal’ the past and therefore the data protection authorities should intervene unless they themselves violate their institutional mandate.

Whatever the choice of the commissioners, it will be a choice fraught with drawbacks: if they investigate, they will have to sanction in the name of EU and national political inertia; and if they do not investigate, they will have inflicted irreparable damage on trust in the rule of law, because they will certify that in the name of political necessity, the law must take a step backwards.

Never as in the case of the new adequacy decision, therefore, is the cure is worst than the disease, and the doctor who will have to treat it it is not to be envied.

Leave a Reply

Your email address will not be published. Required fields are marked *