Don’t hold your breath on the Privacy Shield redo

Hello, and welcome to Protocol Policy! Today, we’re taking a closer look at the hype surrounding the U.S.-EU data transfer agreement. Plus, Meta’s smear campaign against TikTok, and Elon Musk makes a “shady” legal argument against the SEC.

Fool me twice

The Biden administration has been plenty tough on tech. But last week, the White House did the industry a solid, announcing it had struck an “agreement in principle” with the EU to allow transatlantic data flows.

Tech leaders have been desperate for this kind of news ever since a European court struck down the Privacy Shield framework in 2020. The news of a deal had them practically swooning. “With concern growing about the global internet fragmenting, this agreement will help keep people connected and services running,” Meta president of Global Affairs Nick Clegg said in a tweet, not missing the moment to remind global leaders of the all-too-relevant consequences of splintering the internet.

But the praise is a little premature. The truth is, the U.S. and the EU have a clear interest in appearing united against Russia’s invasion of Ukraine, and part of that unity comes in the form of promoting shared democratic values, including around privacy.

• There’s a reason the announcement came as part of a much broader condemnation of Russia’s actions.
• But just because the deal has become politically pragmatic doesn’t mean it’s on any surer legal footing than all the deals that came before it and were then undone in court.

Remember what ultimately killed Privacy Shield: the court’s concern that Europeans’ data wasn’t safe from spying by the U.S. government. Two years later, not much has changed. If anything, things have gotten worse.

• Earlier this month, the Supreme Court unanimously made it a little easier for the government to invoke the state-secrets privilege in surveillance cases.
• And just over a month ago, lawmakers revealed an ongoing bulk data collection program by the CIA, which has already slipped entirely out of the news cycle.
• None of that paints a promising picture of American progress in checking government surveillance.

Details on the substance of the new framework are almost nonexistent. But the White House has hinted at some ways the new deal will address Privacy Shield’s problems.

• It would establish a new Data Protection Review Court, so people living in the EU can seek redress in the U.S. But it’s unclear what form that court will take or where it will live.
• The Biden administration also vaguely alluded to the creation of new privacy and civil liberties standards for U.S. intelligence agencies.
• The White House says it will make these commitments in the form of an executive order, which of course will only last as long as the next president wants it to.

All of that has left Privacy Shield’s biggest critics dubious of the redux. That includes Max Schrems, whose lawsuit is what killed Privacy Shield to begin with.

• "We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now,” Schrems said in a statement, noting that he “expect[s] this to be back at the Court within months from a final decision."
• Others argue that there could be hope for the new framework if it also encourages companies’ pseudonymization of data in ways that are compliant with GDPR and an increasing number of state privacy laws in the U.S. “If you have those controls in place, it’s surveillance proof,” said Gary LaFever, CEO at Anonos, a software company that not coincidentally offers this service.

Despite the breathless celebration from the tech industry, this deal is a long way from done. Even once the fine print is finalized and codified in an executive order, its future — and the future of companies that will rely on it — will still be uncertain as the deal faces scrutiny from European courts.

It is crucial for the U.S. and EU to find a way forward on data transfers. It’s just not clear they’ve found that way yet.

— Issie Lapowsky (email | twitter)

This article originally appeared in Protocol. All trademarks are the property of their respective owners. All rights reserved by the respective owners.