Getty Cybersecurity Bridging the trans-Atlantic data divide: Privacy shield and what’s next A POLITICO Working Group Report

The flow of data across international borders is the backbone of commerce in today’s global economy. Yet every country has different legal requirements for the protection of personal data. Reconciling U.S. surveillance practices and commercial use of consumers’ information with the European Union’s stringent privacy laws has been a challenge for U.S. telecommunications companies doing business in Europe, and vice versa.

For many years, companies got by with the so-called Safe Harbor agreement, under which the EU permitted transfer of EU data to U.S. companies that voluntarily agree to meet certain privacy standards. But this accord could not survive the furor over the 2013 revelations about the scope of U.S. government surveillance of international communications, leaked by the former National Security Agency contractor Edward Snowden. EU citizens challenged U.S. privacy protections as insufficient, including in a case brought by an Austrian activist against Facebook. In October 2015, Europe’s highest court struck down Safe Harbor largely on account of U.S. surveillance practices, throwing billions of dollars in trans-Atlantic data-related commerce. Negotiators from both sides of the ocean rushed to cement a new data deal between the U.S. and European Commission. They produced a new framework, dubbed Privacy Shield, which went into operation on Aug. 1. In essence, it provided additional privacy safeguards, oversight and redress mechanisms for EU citizens. However, uncertainty remains over its ability to withstand additional legal challenges.


Against this backdrop of turmoil, POLITICO recently convened a group of policymakers and stakeholders for a frank conversation about the U.S. perspective on U.S./EU data protections, Privacy Shield, and the future of trans-Atlantic data protection. This discussion - moderated by POLITICO’s cyber security editor Cory Bennett - brought together negotiators of the new agreement, officials charged with putting the new deal into effect, representatives from industries affected by its provisions, and privacy advocates. The group also discussed a policy framework for trans-Atlantic — and global — data protection. In general, there was broad consensus that a stable legal framework for data protection would act as an important “trade enabler” for companies doing business across the globe. The group identified several policy options, but agreed that the way forward is complicated.

The discussion was on the record, but, to encourage a free and frank conversation, comments were not attributed to individual participants. What follows is their candid assessment of the primary legal and implementation challenges facing the new EU-U.S. Privacy Shield, and the prospects for its long-term survival.

1. From the U.S. perspective, the EU/US Privacy Shield is “one hand clapping”

From the U.S. perspective, the EU-U.S. Privacy Shield negotiations surfaced a gap in European understanding of U.S. privacy law, especially the steps taken by the United States since 2013 to curtail government surveillance in the wake of the Snowden leaks. These include, for example, President Obama’s January 2014 presidential policy directive that, for the first time, recognized that noncitizens abroad have privacy interests that the United States government should respect by limiting bulk surveillance information gathering, addressing security needs, etc.

U.S. negotiators hoping to create a “bridge between the two continents” find difficulty in explaining the complexities of a broad swathe of the U.S. legal landscape, including criminal law and regulatory enforcement, to European Commission officials and nearly four dozen national and regional data protection regulators.

“One of the holes that existed in the bridge between Europe and the United States was a real lack of understanding in Europe about how, for instance, the privacy framework in the United States just works. You know, how do we do privacy here?”

“Our system is not necessarily worse. In some ways it’s better than the European system. If you want to look at it from the perspective of being privacy-protective, for instance, some of the provisions of the Fair Credit Reporting Act -- they don’t exist in Europe, and they are deeply protective.”

The agreement between the U.S. and European Commission, though, said participants, was limited to putting U.S. practices in the spotlight: It does not address the surveillance practices of each of the 28 EU member states at home or abroad. (The European Commission, per se, does not engage in surveillance, a function reserved for member states.)

“We have the European Commission that does not have competence in this area [surveillance], and I personally can’t image that the member states will ever give them competence.”

Indeed, some on the U.S. side were also frustrated the negotiations didn’t address the inability of EU institutions to constrain the surveillance of Europeans by individual European member states.

“The Privacy Shield negotiations were in the shadow of Snowden, and we were at a complete disadvantage in negotiating because of that. Going forward, we need to say to Europe, let’s have an even playing field when it comes to what national security and surveillance means. Because guess what: When member states want information from U.S. law enforcement and three-letter agencies because of terrorism, they’re going to come to us.”

At the time of the roundtable, about 300 U.S. firms had completed the process of certifying that they’ll abide by the two-month-old framework – a rate of adoption with which U.S. officials said they’re happy, given the robust privacy restrictions newly placed on companies.

“You have a framework in place and companies are volunteering to abide by it. You have real oversight, and then you have the ability to revise the framework and have a dialogue, if need be, on an annual basis, or more if there’s a problem.”

2. Despite the EU/U.S. agreement, the global legal regime around data protection is uneven and unstable.

That said, there are considerable legal clouds still handing of the future of both Privacy Shield and trans-Atlantic data-sharing more broadly. The deal includes a last-minute provision subjecting it to an annual review. ‘Digital rights’ activists in Europe, meanwhile, are attempting to have the deal invalidated by the courts.

Moreover, Privacy Shield covers only the way that commercial data are transferred between EU member countries and the U.S. – leaving unresolved questions of how countries all over the world can safely share all sorts of other digital data.

“Right now, we are living in a world that has, in my opinion, far too much uncertainty.”

Policy options to reduce legal uncertainty around international data flows

Policy Option 1: Leading by example through surveillance reform

Everyone at the table agreed the U.S. must continue bringing greater transparency to the American government’s surveillance practices both at home and abroad. But various parties disagreed on what further changes, if any, are needed on the scope and limits of NSA programs that, for example, permit the United States to collect foreigners’ communications from American companies based on American soil without court warrants, or that collect global Internet traffic in bulk when the agency is operating outside the United States.

One disconnect was whether it is sufficient for the U.S. to impose safeguards and limits on how it can use data it has already collected, or whether it should be collecting less data in order to protect privacy – even if that means it will sometimes miss clues that are important for protecting national security.

“What I think we’ve missed in the conversation so far is this initial conversation about when does the privacy ‘event’ happen? … [O]ne of the problems that the privacy community has with the surveillance is that we see the privacy event, and the ECJ, saw the privacy event as happening at the moment of collection. And so none of the reforms that we’ve seen in the U.S. so far…has focused on that question. And I think Privacy Shield also inherently couldn’t address that question because it would take a change in U.S. surveillance law.”

Such discussions could help drive European countries to be more self-reflective on their own surveillance policies, participants said.

“I think we need to see some more substantive reforms. Particularly, to U.S. surveillance authorities, in part because what the U.S. does can wind up being a template for folks around the world.”

“There are a lot of European countries that engage in, arguably, mass surveillance. And so there is a hypocrisy there, I agree. But if we were to start saying, ‘Nope. Privacy impact happens once you collect,’ I think we might see this conversation have a little bit more reciprocity.”



Policy Option 2: Trade Agreements

Participants agreed that new trade agreements could aid progress on data flows, but at present, negotiations on proposed accords like TTIP [Transatlantic Trade and Investment Partnership] are bogged down.

“Privacy Shield is, for all intents and purposes, a form of trade agreement. It’s a very specific one, but it is an important trade enabler.”

“Trade agreements are potentially a place where you could set some parameters. But the T-TIP negotiations are at an impasse … and it’s doubtful to me that we’re going to have a robust agenda of trade agreement negotiations going forward.”

“The main challenge with the trade agreement, or trying to pursue legislation, is it just takes so long. Most of the issues that we’re talking about in the development of policies that are affecting technology-related industries is that the tech, and the scale of data, and the way it’s being used, it’s moving so quickly that trying to wait for a trade deal, and then the subsequent legislative action, is just really slow.”

“Trying to do this through trade agreements is a nonstarter..”

Policy Option 3: Harmonized surveillance and cybersecurity conversations

Even if it survives court challenges, Privacy Shield reconciles only a fraction of the major digital policy differences that the U.S. and EU must hammer out in the years to come. Participants said the two sides need to establish broader frameworks and “best practices” for handling data. If they fail to set global norms, individual countries will inevitably rush forward with proposals — including data localization laws, which pose a threat to cloud computing by requiring that information from a particular nation be stored on servers in that nation — that would make digital transfers more difficult.

Such discussions would also help pave the way for cyber rules of the road amid escalating state-sponsored hacking and the rise of cyberwarfare.

“The enunciation of good practices can later become the basis for some sort of overarching agreement, which probably needs to be in the trade context.”

“There really should be a fulsome discussion between Europe, the United States, other countries that respect human rights, generally, about surveillance practices.

“We have common enemies with regard to destructive hacking, with regard to countries that are going to use cyber weapons offensively. And that stream also needs to move forward because, in the end, that will need to take in account data protection concerns. It will also bring European member-state surveillance services that collaborate actively, on a daily basis, with U.S. intelligence agencies, to the table in a discussion.”

“At the end of the day, China, and Russia, and a bunch of other countries, are not going to go along with a norm-setting exercise that takes into account data protection.”

“The only thing that brings a lot of people together on all these components is the issue of cyber warfare… There needs to be a better though process for the next administration, and just globally, for how we’re going to manage these issues.”

Policy Option 4: Working with like-minded countries — but which ones?

Participants explained that countries around the world are closely watching Privacy Shield negotiations, with some wondering how they could benefit from the eventual deal.

Their interest speaks to a widespread desire, they said, to establish global agreements among “like-minded” countries that would facilitate e-commerce and smoother, safer data transfers.

“If you look at the Privacy Shield as the model, it was one hand clapping. It was the United States making a series of commitments with regard to its surveillance regime. But there needs to be a mechanism for countries to make similar representations and commitments with their intelligence agencies, essentially represented at the table. So that’s not quite a trade agreement, but these are more complex interactions that involve trade, that involve intelligence and law enforcement. And I think that it can almost be a free-trade zone. It can create momentum among like-minded countries.”

“There are an incredible number of countries that are trying to figure out how they could do something similar [to the EU-U.S. agreement] in terms of bridging quickly. We get a lot of outreach from other countries all over the world.”

“I was fascinated that the Japanese government and the Japanese media were asking me, “When Privacy Shield is done, how could Japanese companies take advantage of it? What is it going to mean for us?” And it was like, “Well, actually, not a lot.” But absolutely, like, that is the issue that we need to solve.”

“It makes sense for a country, like Japan, very committed to international norms, to be able to sign onto something similar.”

“There is a project in APEC [the Asia-Pacific Economic Cooperation forum, a group of 21 Pacific Rim countries], which is an example of trying to do that. We focus on this one-way highway, from Europe to the United States, but obviously, data is just flowing all sorts of different highways, or bridges, or whatever the metaphor is. So how do you develop something that involves a number of players?”

“There have been a fair number of these issues between the U.S. and Canada. We’re huge trading partners. That might not be a bad initial place to start. And Canada is also an ‘adequate jurisdiction’ for European purposes.”

“Picking some other European country—Ireland might not be a bad one, for example, not the U.K. —to begin to work through some of these issues and then build from there, I think would be a good idea.”

Policy option 5: Renegotiating MLAT?

Additionally, countries may need to go back to the table on so-called mutual legal assistance treaties, or MLATs, which govern how governments can swap law enforcement data, according to those in the room. With cyber crime skyrocketing and terrorist attacks proliferating in numerous countries, MLATs are an increasingly critical component of establishing trusted data transfers around the globe, they said.

“We’ve got a lot of work we can do here at home, which I do think will build a ground swelling of trust. But I also think we need to get, on behalf of companies that are dealing with government access questions, some rules of the road that will work for law enforcement, work for national security, and allow companies to know when they’re supposed to give up data, and what the terms are. And that’s the MLAT discussions.”

Participants in the POLITICO Cybersecurity Working Group

Justin Antonipillai, Counselor, Delegated Duties of Under Secretary for Economic Affairs, Department of Commerce

Cory Bennett, Editor, Pro Cybersecurity, POLITICO

Julie Brill, Partner, Hogan Lovells and former Commissioner, US Federal Trade Commission

Chris Calabrese, Vice President, Policy, Center for Democracy & Technology

Victoria Espinel, President and CEO, BSA| The Software Alliance

Robyn Greene, Policy Counsel and Government Affairs Lead, New America’s Open Technology Institute

Jim Halpert, Co-Chair, U.S. Privacy and Cybersecurity Practice, DLA Piper

Cam Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow, Governance Studies and the Center for Technology Innovation, Brookings Institute

Norma Krayem, Senior Policy Advisor, Co-Chair, Cybersecurity & Privacy, Holland & Knight LLP

Enrique Medina Malo, Chief Policy Officer, Telefoníca S.A. (sponsor)

Ari Schwartz, Managing Director of Cybersecurity Services, Venable

Amie Stepanovich, U.S. Policy Manager, Access Now

Luiza Savage, Editorial Director of Events, POLITICO

Hugh Stevenson, Deputy Director, Office of International Affairs, Federal Trade Commission