(Privacy) Shield or (Democlean) Sword?
What’s in a name? That which we call a Safe Harbour by any other name would smell as… sweet?
The approach of the EU executive and legislative branches in recent years has overwhelmingly evoked the Kafkian idea of a lawyer as a person who writes a 10,000 word document and calls it a “brief”. Yet another curious trend could be observed when it comes to announcing severely criticised decisions which fail to gain the public’s trust. A recent example of both trends is the adoption of the EU-U.S. Privacy Shield which purportedly cleans up the mess after the Schrems decision.
The final text promises EU citizens and businesses the Promised Land of legal certainty for companies on both sides of the Atlantic that want to do business together by “injecting” a new momentum in the transatlantic partnership. The ultimate goal of the new instrument is to make sure data transfers outside of the EU are only permissible if a business can guarantee “essentially equivalent” protection and protection of the fundamental rights of the European Union.
However, in my and many others’ opinion, this text fails to live up to its promises. Why? I suggest at least three reasons…
Fool me once, shame on you; fool me twice, shame on me
First, the Shield uses strong political language in an attempt to reinforce citizens’ and businesses’ faith in its core principles. For example, the text, including the recitals, uses the word “robust” two times, the word “guarantee” and derivatives of it – 21 times, the word “sufficient” and derivatives of it – 5 times, and the word “ensure” and derivatives of it – 57 times. Another curious fact is that during the press conference of 12 July, one could hear a waterfall of words and phrases such as ”enormous potential”, “shared values”, “common values”, a “milestone” etc. The issue here is not that much in the use of political language. Rather, it is the overall drafting technique based on an ill-founded choice of ambiguous language when exactly the opposite was expected.
Second, the Shield, allegedly following the guiding light of the Court of Justice of the EU, promises a level of protection that is ‘essentially equivalent’ to the one guaranteed by EU data protection legislation in force (recital 137). A claim quickly overturned by the introduction of a principle of choice for users to opt out if they do not want their personal information to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals (Annex II, II.2.a). In contradiction with the opt-in system employed by EU law and based on consent, the Shield reflects a notion which “gives companies a general blanked allowance to use the personal data of any person under the sun”.
Third, the Shield introduces a new legal actor, namely the Privacy Shield Ombudsperson. This new figure is tasked with a variety of functions. It aims to ensure that individual complaints are “properly investigated and addressed” (recital 117). Furthermore, the text reassures that the Ombudsperson would be “independent from, and thus free from instructions by, the U.S. Intelligence Community” (recital 121) and that this mechanism “guarantees independent oversight and individual redress” (recital 118). Provided this broad scope, it is striking that the Under-Secretary would be entrusted with the tasks of the ombudsperson and that the whole construction is built upon a ‘commitment’ of the US Secretary of State to ensure that the function of the ombudsperson will be carried out objectively and free from any improper influence. Apart from the complete lack of any clarity as to what constitutes ‘improper’ influence (implying that there may be another category of cases of ‘proper’ influence), a much more significant issue concerns the fact that a non-judicial body is entrusted with ensuring independent oversight and individual redress.
Of Shields and Men
A perhaps little-known use of the scutum (the Latin word for ‘shield’) in Ancient Rome was as a tool for psychological warfare during the capture of Syracuse. But the shield also served as a symbol of the Princeps’ “valour, clemency, justice and piety” (Res Gestae Divi Augusti). One may reasonably ask: ‘Which one does the Privacy Shield represent?’
Revolutionary discoveries are rare. Even more so in law. The Privacy Shield is certainly a ‘features update’, but not a much-needed ‘upgrade’ of the system. If it is here to stay and if it is expected to be adhered to by businesses, the unanswered questions should find their answers as soon as possible. Otherwise, the Shield risks undermining legal certainty, putting at stake the fundamental rights of EU citizens and effectively calling upon itself the sword of Damocles in the hands of the Court of Justice of the EU.
This article was first published in CiTiP Blog and is reprinted here with the author's full permission.