The US Department of Commerce, in a joint press release with the European Commission, is calling for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16th judgment of the Court of Justice of the European Union in the Schrems II case, which ruled the current EU-US framework “is no longer a valid mechanism to transfer personal data from the European Union to the United States.” (Note: Mr. Schrems claimed in a complaint against Facebook Ireland that the United States does not offer sufficient protection of data transferred to other countries. The case is seen to have broad implications on the enforcement of GDPR data transfer privacy requirements.)
Europe\’s top court struck down Privacy Shield, and Safe Harbor before it, is really no surprise. The internet spans the globe, with data going everywhere, all the time, for billions of users. While the internet was hailed as a borderless platform to bring the world together, the reality is each region has its own concerns and laws governing it. This is a perfect example of exactly that. The European Union puts data privacy for its citizens first, ahead of Law Enforcement and State needs. The US puts National Security and Law Enforcement interests ahead of personal privacy. It\’s a fundamental difference in perspective, which makes it difficult for businesses to navigate the legal hurdles while simultaneously complying with conflicting regulations on a global scale. Finding common ground will take negotiation and compromise, but it is vital. The data must flow.
The EU and the U.S. are working on a new Privacy Shield agreement, however, there\’s much room for skepticism after both Safe Harbor and the first Privacy Shield were struck down by the European Court of Justice over the past few years. A joint statement between the U.S. Secretary of Commerce and the EU Commissioner for Justice states the two sides are working towards a new agreement, however, it all seems to be hand waving at this point until the U.S. government makes drastic changes to national data security policy and procedure.
Privacy Shield was struck down primarily because federal U.S. security agencies, such as the NSA, have too much access to personal information stored by U.S. tech companies and other organizations.
Without drastic reform to data privacy standards in the U.S., and the reach of agencies like the NSA, any potential new Privacy Shield agreements will most likely be swiftly shut down by the same court in the EU. It\’s clear the U.S. needs a mechanism like Privacy Shield in place, however, so far, the U.S. government hasn\’t taken any clear action that indicates they intend to start taking data privacy more seriously.