TPC 33: Privacy Shield is No More

The European Court of Justice has declared that the current measures for the exchange of private data between the EU and the US do not satisfy the data protection rights of EU citizens and are therefore illegal.

Today, The Private Citizen is exactly half a year old! How time flies…

On the episode at hand, I look at a recent decision by the EU’s highest court to declare the current agreement for GDPR-compliant data exchange between the EU and US to be null and void. Can data from EU users still be stored and processed on US servers? How does this decision impact big US service providers and other companies?

The Decision of the European Court of Justice

On 16 July, the European Court of Justice has declared the rules for the free exchange of data between the EU and entities in the US (the so-called Privacy Shield agreement) to be unlawful (case C-311/18). This is the agreement that, up to that point, had allowed US companies to process and store personally identifiable data of EU citizens. It is the post-GDPR successor to the earlier Safe Harbour agreement; previously discussed in episode 5 of this podcast. As it stands right now, data from EU citizens cannot be legally stored or processed on US-based servers. The vast implications are obvious.

The case was brought by Austrian privacy activist Max Schrems and his data privacy organisation NOYB (see episode 29). Schrems has made it his mission in life to sue Facebook for privacy violations against European internet users. He’s done so several times before, including in 2015 when the European Court of Justice declared parts of the Safe Harbour agreement to be unlawful (case C-362/14).

Because privacy laws in the US as a whole, seen from a European perspective, are not at a high enough level, the US was never considered to be one of the non-GDPR countries that is safe for the personal data of European citizens. Some local state laws are an exception, California being a prominent example, but since these aren’t binding for everyone in the US, they don’t count from the position of European lawmakers. So Safe Harbour, and later Privacy Shield, presented an option for US companies to self-commit to European-style privacy rules and regulations. In practice, this boiled down to a list of companies, administered by the US Department of Commerce, which publicly agreed to uphold the data protection rights of EU citizens in the US.

Max Schrems called this practice “putting lipstick on a pig”, because in reality, these commitments weren’t actually enforced by anyone and the data of Europeans was clearly open to being accessed by US intelligence and law enforcement services. This is compounded by the fact that many rights and protections on US soil that govern the processing of data of US citizens do not apply to data from non-citizens. What made this whole situation even worse was the fact that, even if the rights of a citizen from an EU member state under US law were being violated, there is no effective legal recourse in the US (or the EU for this matter) for this person. These problems have been raised by data protection officials in Europe for years, but they finally came to a head with Schrems’ lawsuits against Facebook. The decision of the European Court of Justice now is therefore not surprising, but it is nonetheless very important.

Aside from the GDPR, the court also considered the EU Charter of Fundamental Rights which also governs privacy protections for EU citizens. According to the court decision, the privacy rights of EU citizens whose data is processed or stored in the US is subordinate to the requirements of US national security, the public interest of US citizens and the enforcement of US law. All of this causes the data in question to be subject to access by US government officials which violates guarantees in the GDPR and fundamental human rights according to the EU Charter. The court also feels that the surveillance programs implemented under US law currently do not limit access to what is absolutely necessary to fulfil the goals set forth in these laws. In most cases, according to the court, data of EU citizens can be spied on without any legal limits at all, it seems.

It is still possible to use standard contractual clauses as specified in the GDPR, which are used between an EU-based company and a partner company in non-GDPR country to govern data of EU citizens that is being exchanged. For this to be usable, however, the non-GDPR country must provide the means for the local company to extend equivalent data protection rights to EU citizens as they would enjoy in the EU. This includes local laws that EU citizens can use to defend their rights in the jurisdiction in question. This is clearly not possible in the US as local laws, according to the ruling by European Court of Justice, do not provide any protection against intelligence services spying on the data or legal means for EU citizens to defend their rights successfully in local courts.

All of this makes it seemingly impossible now for a company to store personal data from European citizens on US servers. There are some exceptions, but basically only when the data is moved within a company and the data is originating with company employees. It would also be possible for companies to explicitly get permission to process and store data in the US from every single user separately. But to do this legally, the company would have to provide users with very detailed information of what data can be accessed when, how and under which circumstances. And exactly by whom. Something that seems impossible where US national security is concerned.

What Does This Mean Going Forward?

It seems unlikely that the Trump administration is willing to commit to an agreement that guarantees fundamental privacy rights for the data of EU citizens in the US. In the even more unlikely event of the Democrats winning the election later this year, chances to reach such an agreement probably aren’t much higher. Joe Biden, much like his Democrat predecessors, also seems unlikely to mess with the US intelligence apparatus and their espionage programs for the sake of non-US citizens.

In the UK, the prevailing opinion seems to be that the ruling won’t stop business as usual for the foreseeable future. For example, The Register writes on the ruling:

The practical effects of the ruling are likely to be limited as data-related “standard contractual clauses” (SCCs, added by firms to contracts governing all EEA-UK data flows), something else Schrems complained about, were not struck down or ruled invalid.

At a press conference late this morning, commission vice-president Vera Jourová, who has responsibility for values and transparency, reassured businesses: “The Court of Justice declared the Privacy Shield decision invalid, but also confirmed that the standard contractual clauses remain a valid tool for the transfer of personal data to processors established in third countries. This means that the transatlantic data flows can continue, based on the broad toolbox for international transfers provided by the GDPR, for instance binding corporate rules or Standard Contractual Clauses.

Voices from the US seem more sceptical:

The US IT and Innovation Foundation (ITIF), meanwhile, complained the ruling was “irresponsible” and would treat the US with a “double standard”.

“In the midst of a global pandemic during which global data flows are more vital than ever, [the ruling] puts all global data transfers from the EU at risk and wreaks havoc on the digital economy,” said ITIF’s Eline Chivot. “It will immediately upend, and in many cases even halt, data transfers between the EU and the United States, leaving many businesses with no suitable alternative.”

While it was not immediately clear whether any businesses had stopped moving personal data across the Atlantic after this morning’s judgment, Chivot made the point that US laws on government access to personal data were not “unique”, seemingly calling on the EU to reject other countries’ data access laws in the same way.

Producer Feedback

Stephen from Raleigh says Butterbeans had a point with his comments in episode 32:

I hear what you’re saying about keeping social media completely free and open, without fact checking or other controls interjected by the companies, and in principle I agree. But Butterbeans has a good point about the sheer scale of their reach and the magnitude of their impact. Twitter/FB et al. aren’t really comparable to an intimate conversation among family and friends. Through them we listen in on conversations from all across the country and beyond, most of which have nothing to do with us personally. They shape the content of national dialog – which isn’t really a dialog at all, not least because their formats aren’t designed for thoughtful expression but rather for knee-jerk reactions. And that at a massive scale.

We’ve also seen over the past few years how bad actors have exploited these inherent characteristics of social media to intentionally sow misinformation and strife and distrust across the country. Perhaps we should think about email spam. It’s said that most email traffic in the world is in fact spam. Email providers like Gmail do incredibly well in filtering that out for us – not perfectly, of course, but to such a degree that we can almost forget about it. Wouldn’t it be awesome to have some kind of social media spam filter at least against malicious content that’s that effective?

Now sure, who’s going to be trusted to be the fair arbitrator of what’s true or not, what’s malicious or not. I don’t know the answer to that. But what we have right now is problematic. Maybe there is no real solution. Maybe we’ve built systems that we as a species aren’t really adapted to handle well. Maybe one day someone will invent some kind of social media that really benefits us and isn’t subject to exploitation. But what do we do to keep society from blowing itself up until then?

Butterbeans chimes in again, as well:

Wow, Fab. Just listened to episode 32. What a great fucking response to my questions! Thank you for taking the time to give such a thoughtful response. Really gave me a lot to think about. Nice little interjection about Bismarck, too. As an aside, I started listening to Sabaton for the first time when I heard Carolus Rex (English Version) over a YT video and loved it. Whenever you have time, can you send me some song recommendations? Absolutely no rush. Enjoy your motorcycle trip!

Frank recommends a podcast:

I found a podcast I’m really enjoying called, Your Better Life. It’s been a really interesting show. Gary Collins does this show completely for free, and he doesn’t even use Patreon. I have to say this is really good stuff. Gary is speaking directly to some of my interests. He gets into various topics, to include writing which we know is in your wheelhouse. My wife aspires to write, and otherwise operate a work from home business.

Gary Collins is into the concept of full freedom, and living a life style that breaks out of the 9-5 rut that most of America is trapped in. He’s coined the phrase American Trap, rather than American Dream. My entire life has been about becoming financially independent and breaking the chains that bind us. I’m just about there. Here in America government isn’t sticking a gun barrel directly into our rib cage and telling us directly what to do, however the chains are economic ones, and we are simply slaves non the less. I suppose it’s being done to us in a much better way than in some parts of the world, but it’s still being done to us.

Garry Collins was in the Army Rangers, and also worked in government as a Federal Agent, so he’s got quite an interesting story to tell. He also writes books. You might enjoy these shows. It’s worth a listen. I recommend episode, “ #49: Truth and Consequences of the Crazy RV life,” and also, “#45: How to Reclaim Your Freedom with Matt Kibbe.” It’s a changing world, and we need to change with it, to try and remain free.

If you also have thoughts on the topics discussed in this or previous episodes, please feel free to contact me.

Toss a Coin to Your Podcaster

I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.

You can also support the show by sending money to via PayPal, if you prefer.

This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me, pard. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.

Thanks and Credits

I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show.

Aside from the people who have provided feedback and research and are credited as such above, I’m thankful to Raúl Cabezalí, who composed and recorded the show’s theme, a song called Acoustic Routes. I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.

But above all, I’d like to thank the following people, who have supported this episode through Patreon or PayPal and thus keep this show on the air: Niall Donegan, Michael Mullan-Jensen, Jonathan M. Hethey, Georges Walther, Dave, Butterbeans, Mark Holland, Steve Hoos, Shelby Cruver, Kai Siers, Vlad, Jackie Plage, 1i11g, Fadi Mansour, Philip Klostermann, ikn, Jaroslav Lichtblau, Matt Jelliman, Joe Poser, Dirk Dede, David Potter, Dave Umrysh, Mika, Vytautas Sadauskas, RikyM, drivezero, Martin, Jonathan Edwards, Barry Williams, Silviu Vulcan and S.J.