Privacy Shield 2.0 is ‘High Priority’ but ‘Not Easy’, Warns EU’s Vestager

The EU’s executive vice president for digital strategy, Margrethe Vestager, said yesterday that reaching a new data transfer agreement with the US is a “high priority” for the bloc — but she also warned that a replacement for the defunct EU-US Privacy Shield (and, before that, Safe Harbor) is far from a done deal, given the fundamental legal clash between European privacy rights and US surveillance overreach. Some press stories in recent weeks have hinted that a new transatlantic data transfer agreement is imminent — maybe as soon as this month, according to a Politico piece dated February 3.

Commissioner Vestager’s mood music, on the other hand, implies differently. “Making such an agreement with the Americans is a high priority endeavor,” she said during a Q&A session at a news briefing on the Commission’s newest proposal on data sharing (aka the Data Act). “To put it mildly, this is not an easy task.” Because we follow the lead of the court [CJEU], which decided on the basis of the Charter of Fundamental Rights, which we cannot or will not amend.

“So we need to figure out a method to cooperate with the Americans that is consistent with this — in order to avoid a bad Schrems III ruling if that is the case.” But it’s a top goal for us to enable the business community to make the most of data while doing it in a secure and transparent manner — which is why we’re advocating for it.” The data transfers issue arose in the context of the Data Act because the draft legislation proposes a sort of ‘Schrems II for non-personal data,’ as data protection experts quickly dubbed it (whereas the Schrems’ ruling that nixed Privacy Shield and Safe Harbor concerns exports of personal data out of the bloc).

“Safeguards against unlawful data transfer without notification by cloud service providers,” according to an explanatory memorandum attached to the draft Data Act proposal, is one of its specific objectives, explaining: “This is because concerns have been raised about non-EU/European Economic Area (EEA) governments’ unlawful access to data.” Such protections should help to boost trust in data processing services, which are becoming increasingly important in the European data economy.” The Data Act’s Article 27, which deals with foreign access and transfer, also states:

“Providers of data processing services shall take all reasonable technical, legal, and organizational measures, including contractual arrangements, to prevent the international transfer or governmental access to non-personal data held in the Union where such transfer or access would conflict with Union law or the relevant Member State’s national law.” “We are arguing that non-personal data shouldn’t leave the EU if it’s likely to fall into the hands of foreign spooks we don’t trust,” one EU source familiar with the situation said, comparing it to a “Schrems II for non-personal data.”

This plain-text limitation on data transfers looks worrisome for anyone fondly assuming that the regional legal uncertainty that’s been hanging over (particularly) US-based cloud businesses since the middle of 2020 is just a tiny fog that’ll clear. The Commission appears to be doubling down on Schrems II in the draft language of the Data Act, rather than looking for methods to get around the CJEU’s decision, as it did after Schrems I by hurrying to agree on a Privacy Shield with such clear legal defects. The European Court of Justice’s two strikes on this matter in fast succession appear to have put an end to any similarly unscrupulous attempt to patch up basic legal flaws.