Privacy Shield makes a comeback
This is about as mainstream newsworthy as data news gets. But in the last week, since Independence Day, the US / EU Data Privacy Shield has made a comeback. And it’s as sudden as it is surprising; clearly, there has been a lot of work going on behind closed doors.
Firstly, let’s go back a bit.
In one critical area for the modern world – that of data – the US and the EU have for some years been drifting apart. The EU held that the privacy of the individual should be sacrosanct, and that the risk of personal data being used for surveillance or other nefarious means should be protected against. The US believed that the protection of national security in a world of greater geopolitical uncertainty was the greatest way of providing a safe environment and society, and intelligence to maintain that security for the sake of the common good was therefore most important.
As a result, the EU and the US had been at loggerheads over the precise nature of what the best safeguards were for maintaining the rights of the individual and what it means to be a democracy. And they also decided that they couldn’t both be right; the EU said that personal privacy was most important, and trumped national security, whereas the US had it the other way around. For that reason, whilst on the face of it, the US/EU Privacy Shield was in place, and meant that data could be shared between the two states, it was something of a house of cards. When privacy campaigners in the EU challenged the legitimacy of the data sharing in the EU, saying that if data was being shared with the US, where it could be used, however theoretically, for national security surveillance, the campaigners won, and the Privacy Shield was invalidated.
This meant companies had to do other legal methods to share data, and effectively guarantee that customer data from the EU would be dealt with in line with EU legislation, even if it was stored in the US. It was / is complex and annoying. As this continued, those same campaigners continued to take on those that seem to flout the law, particularly big US companies. And particularly Google, and Google Analytics, a customer analytics tool because it captured personally identifiable information, and stored it, by default, on US-based servers.
And then, something truly dreadful happened.
Last year, the invasion of Ukraine was a catastrophic disaster for those in that country. War – real, horrible war – had returned and shattered the peace on the European continent. But it did something else; it managed to remind many Western countries that they had more in common with each other than they had differences. It galvanised opinion and attitudes that democracy was something that was worth fighting for, and those in Ukraine were doing just that. The precise nuance of what tenets of democracy is based on suddenly mattered a bit less.
In spring 2022, the US President, Joe Biden, and the EU President, Ursula von der Leyden, announced a package of support for Ukraine, both military and financial. And importantly, on the same day, they also announced that they would revive the US/EU Privacy Shield. Rarely, if ever, had data and data strategy made it onto front page news, if only as a footnote to the main news. But this demonstrated that the two were clearly linked – allies who are prepared to support a war must be able to sort out other differences.
And then….nothing. Whilst military support for Ukraine was discussed and detailed in depth, it sounded like the data part would be quietly forgotten. Summer became autumn, and autumn became winter, and the Privacy Shield was nowhere to be seen. Indeed, Google Analytics rushed forward its launch of its new version, GA4, so it could switch off its previous version, which had so offended EU privacy campaigners. This switchover happened on July 1st.
And then, as quickly as everything had been slow, the Privacy Shield bounced back. On July 3rd, just before Independence Day, the US Department of Commerce announced that it had done its part of the deal and announced that it had changed the EU’s data status to a “legitimate state”. The next step was for the EU to effectively reciprocate, and make an “adequacy” decision – to state that the US did have adequate safeguards in place to ensure personal data would be stored and used in the right way. No timeline for this was given, so it felt like another false dawn. And then, on July 10th, the EU announced it had made its adequacy agreement. The EU and US were data friends again, and Privacy Shield “3.0” was back.
There are no doubt legal details to be reviewed, especially given how quickly this has announced, and how little public lead-up there has been. That said, this has been a carefully co-ordinated process in the background, which suggests both states are confident in what they have set up. But it resets the data landscape again and removes some of the legislative headaches, although there will certainly be a legal challenge in the EU from privacy campaigners.
But for now, it’s worth reflecting that data and democracy have been working hand in hand.