Skip to main content

Privacy Shield, and why it matters

The European Court of Justice just struck down a key data-sharing deal between the US and EU because the US sees fit to spy on the world.

Privacy Shield was a mechanism that allowed US tech companies to operate in the EU using a blanket agreement. By creating a compliant privacy policy and self-certifying, they could operate within Europe's tighter personal data protection environment. It operated like a kind of safe harbor program: there was no need to create a privacy policy specifically for EU residents, and companies that complied with its principles could assume that they were operating within the law. GDPR fines start at the higher of 10 million Euros or 2% of the company's worldwide revenues in the preceding year, so this was both a legally and financially meaningful protection.

It was knocked down on Thursday because of America's mass surveillance programs.

In November, 2017, President Trump issued an executive order which, among other things, made it clear that US privacy law would only protect US citizens and "lawful permanent residents" (in other words, surveillance of non-citizens living elsewhere or undocumented immigrants is permitted):

Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

This was effectively a clarification of existing policy rather than a new regulation. Because agencies like the NSA have historically had no restrictions on collecting data about overseas foreigners, tech companies that transmitted personal data into the US would be exposing that data to broad surveillance in violation of EU law. As we know from whistleblowers like Edward Snowden, those surveillance powers are often used on US citizens too, and information sharing between the US and UK allowed intelligence agencies to skirt around privacy laws in both countries.

While undoubtedly imperfect, GDPR had a very positive side effect: although it only pertained to EU residents, its effects were felt worldwide. It's not feasible to create one data storage protocol for one set of users and another for others, so in effect, at many tech companies, all user data was held in a way that complied with the legislation.

Here, too, the effects are likely to be felt worldwide. In addition to the existing compelling moral case, there's now a strong business case for international corporations to push for an end to mass surveillance: the loss of Privacy Shield is a real risk to their bottom lines. As privacy activist Max Schrems, who originally brought the case, put it:

As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.

Mass surveillance is a human rights abuse that has a measurable chilling effect on free speech and democracy. Surveillance capitalism has long been a go-to business model for tech startups, although this has been slowly changing during the last few years, in part because of pressure surrounding human rights abuses by agencies like ICE, but also because targeted advertising turns out to be less valuable than hoped. Anything that further aligns the business community with an individual's human right to privacy is good news.

Meanwhile, US legislators continue to work to erode our privacy. The EARN IT Act will pressure tech companies to eliminate end-to-end encryption so that communications can be directly surveilled. It serves as a stark contrast to the Privacy Shield ruling, and a reminder of the wildly divergent priorities on either side of the Atlantic.


Photo by Chris Yang on Unsplash