EU is losing its patience with the US government over its failure to implement properly the Privacy Shield deal

Last week, the European Commission announced new guidelines to tackle illegal content inciting hatred, violence and terrorism online. Central to its new framework is expecting “online platforms” – Internet companies like Facebook, Google and Twitter – to take a more pro-active role:

“The Communication invites online platforms step up their efforts to remove illegal content online and proposes a number of practical measures to ensure faster detection and removal of illegal content online.”

Those measures include closer cooperation with law enforcement agencies; the recognition of “trusted flaggers” – other organizations that will be allowed to tag material as illegal; and, perhaps most problematically, the use of upload filters to prevent material being posted in the first place. And just to concentrate people’s minds, the Commission added that it would:

“Monitor progress and assess whether additional measures are needed, in order to ensure the swift and proactive detection and removal of illegal content online, including possible legislative measures to complement the existing regulatory framework.”

In other words, if Facebook, Google and Twitter don’t do enough on a voluntary basis, the EU is threatening to bring in new laws to force them to do it. This plan to turn Internet companies into the EU’s online police isn’t the only problem they have in the region. They are also subject to increasing scrutiny of how they are operating in Europe. For example, in June, Google was fined over $2.5 billion for “abusing dominance as search engine by giving illegal advantage to own comparison shopping service”. Although the company is appealing against that fine, there are two other cases where the European Commission is still investigating whether Google abused its dominant position – one concerning Android, the other AdSense. More generally, the EU also wants big tech companies to pay more in local taxes.

As if being forced to filter every upload, and forking over more taxes, weren’t enough problems for US Internet companies, there is another, arguably even more serious threat coming from the European Union. It concerns the flow of personal information across the Atlantic. That apparently obscure issue is tricky because the EU’s privacy laws allow the personal data of its citizens to be sent only to third countries that guarantee strong privacy protection. An “adequacy decision” from the European Commission, certifying that the privacy protection in a non-EU country is good enough, is needed before data can be sent there.

One of the Commission’s most important adequacy rulings was that the “Safe Harbor” framework, agreed with the US Department of Commerce in 2000, could be used by companies to transfer EU personal data across the Atlantic. Unfortunately, it was struck down by the Court of Justice of the European Union (CJEU), the EU’s highest court, in October 2015. The CJEU ruled that the US authorities’ broad access to EU citizens’ personal data “must be regarded as compromising the essence of the fundamental right to respect for private life.”

To remedy the loss of Safe Harbor, in 2016 the US and EU drew up a replacement, called Privacy Shield. It is broadly the same as its predecessor, but included new safeguards that were meant to address the specific criticisms of the CJEU. As the European Commission explained when it unveiled the Privacy Shield framework:

“The new arrangement includes written commitments and assurance by the U.S. that any access by public authorities to personal data transferred under the new arrangement on national security grounds will be subject to clear conditions, limitations and oversight, preventing generalised access. The newly created Ombudsperson mechanism will handle and solve complaints or enquiries raised by EU individuals in this context.”

The creation of the new Ombudsperson post in the US was a critical element of the deal, because the lack of an adequate redress mechanism was one of the key reasons why the CJEU said Safe Harbor was unacceptable under EU law. That makes the following news from last week rather awkward:

“US authorities under Donald Trump’s administration are yet to set up a permanent ombudsperson, to whom EU citizens can file complaints if they believe their rights have been violated.

[The EU Commissioner for Justice, Consumers and Gender Equality, Vera Jourova] said the EU commission would not “wait forever” for the US side to appoint someone, on a permanent basis, to the position.”

Another key Privacy Shield promise was that the US would provide “effective supervision mechanisms to ensure that companies respect their obligations, including sanctions or exclusion if they do not comply.” But the EU’s Commissioner said that in practice, the US authorities were not being proactive enough in cracking down on non-complying US firms. The EUobserver article quoted above also notes that the Trump administration is loosening privacy rules, not strengthening them, as the CJEU decision implied was necessary.

Putting those elements together means that legal challenges to Privacy Shield – one of which is already working its way through the EU courts – stand a good chance of being successful. As this blog reported, a similar data flow agreement was thrown out by the CJEU back in July. Such an outcome would be a serious problem for companies like Google and Facebook that move massive quantities of personal data about EU citizens across the Atlantic every day.

Although there are other ways to satisfy the EU’s data protection laws, some experts believe they too suffer from the same problems as Safe Harbor and Privacy Shield. It may be that the CJEU is unwilling to allow any personal data to be brought back to the US, using any legal mechanism, while the NSA is able to subject it to unbridled mass surveillance.

Since there seems little hope that the Trump administration will increase privacy protections for non-US citizens, or rein in the spying of the NSA, companies such as Google and Facebook may well need to keep all personal data regarding EU citizens entirely within the EU if they wish to operate there in the future. They will doubtless resist such a move, but the threats of new laws being imposed on them, not to mention more billion-dollar fines, show that the EU is in no mood to compromise when dealing with US Internet companies. The whole Safe Harbor and Privacy Shield saga is a reminder that, even though the US is the undisputed leader in many other areas of Internet policy, when it comes to privacy, it is the EU that sets the pace.

Featured image by Thad Zajdowicz.