We’re at a critical juncture in the shaping of regulations that will govern the exchange of digital data, critical for European and US businesses, and for European citizens.
On Wednesday, the European Parliament debated, and on Thursday will vote on, the proposed Privacy Shield agreement between the EU and US, the clumsy, suggested replacement for the Safe Harbour agreement.
Safe Harbour gave companies an easy and unfortunately, ineffectual, unenforceable and opaque way to claim they handled European data in accordance with EU law. But the European Court of Justice (ECJ) threw out Safe Harbour in its decision in Austrian Max Schrems's case against the Irish data protection commissioner, regarding his Facebook data.
Privacy Shield has come in for plenty of criticism for failing to address key issues such as whether it adequately protects data from secret law enforcement scrutiny in the US – something the ECJ judges specifically highlighted in the Schrems case. Privacy Shield relies on various US government letters of assurance in this area, not changes to law.
Privacy Shield also proposes a US-based ombudsman with questionable independence, given that the role would report to the US State Department, also home to US surveillance agencies.
This arrangement of strange bedfellows has already perturbed European ombudsman (and former Irish ombudsman) Emily O'Reilly, who noted in a February letter to the EU commissioner responsible for Privacy Shield, Vera Jourova: "It would be useful at this stage if you might outline, or reflect on, how these criteria might be reconciled with the fact that the office foreseen in the 'EU-US Privacy Shield' would be part of a government department that supervises government agencies . . . European citizens . . . have legitimate expectations of the credentials as to the impartiality and independence of such an office."
Just FYI, the same odd regulatory arrangement exists for our own data protection commissioner, tasked with protecting citizen data, yet appointed by, and forming part of, the Department of Justice.
Advocates
Surely the Irish data protection commissioner office should be independently appointed and not be part and parcel of the very department that history shows most needs impartial watching. That’s being argued in a new case brought by privacy advocates Digital Rights Ireland – one to watch.
Meanwhile, on Monday we will get the official opinion of Giovanni Buttarelli, the EU data protection supervisor, on Privacy Shield. Don't expect a warm embrace. He has already stated his view aligns with the working party of EU data protection authorities, which said in April that Privacy Shield still needed considerable work.
Max Schrems weighed in this week too, correctly noting to euobserver.com that the needed changes to the proposed agreement have to be to US law. "Everything that was criticised is stuff the US has to change. There is really nothing that the commission can do."
But wait. With exquisitely farcical timing, into the midst of this fray, a bunch of European ministers – including our new Communications Minister Denis Naughten and new Minister for Jobs, Enterprise and Innovation Mary Mitchell O'Connor – have sent an extraordinary joint letter to Ecofin chief Henk Kamp, effectively arguing that the business of the EU is really, business. Those irritating, pesky privacy and data protections, especially those in that annoying e-privacy directive, should be reconsidered within a "market-based approach" to the EU's goal of a digital single market.
Oh, the letter is dressed up as a paean to the benefits for businesses AND citizens, but the language is all about business and mostly indirect references to privacy regulations. Examples of what the ministers want? “A market-based approach where businesses do not face unjustified burdens”, an “ambitious” review of the hated e-privacy directive to “repeal all elements that are no longer fit for purpose” to get the “right balance” between business needs and “fundamental rights of data subjects” (the latter are barely mentioned in this document).
Free flow
“Alternatives to regulation should be investigated rather than adding new burdensome regulation of business.”
The EU should remove “all unjustified barriers to the free flow of data”, not add regulation. The EU needs to take “an evidence-based approach” to regulation (which, when it comes to privacy, surveillance and data leaks, would surely point to the need for more protective regulation for citizens?).
In short, they “encourage the commission to move ambitiously forward in its efforts to remove regulatory and non-regulatory barriers” in the digital single market.
Dear ministers, you doth protest too much. The EU is not just about easing business across borders. Remember, those data privacy rights are “fundamental” because the EU Charter of Fundamental Rights is at the very heart of the European project and guarantees them to Europeans.
They might create some “burdens” and “barriers” to business, but in an age replete with evidence of easy digital surveillance, poor digital security protections for citizen data and enthusiastic bulk data gathering by both businesses and governments, they are also essential protections to a vulnerable citizenry.