Head in the Sand 1: ignoring the incompatibility between the EU which won’t compromise on privacy, a fundamental human right in Europe, and the US which won’t compromise on mass surveillance, seen as essential for its security.
Authorities on both sides of the Atlantic have been reluctant to directly address the issues stemming from the fundamental difference in orientation between the EU’s privacy law and US’s mass surveillance activities. The EU is unwilling to compromise on the privacy of its citizens, seen as a fundamental human right in Europe. Meanwhile, the US is unwilling to compromise on the mass surveillance that it sees as essential for its security. Patching over the cracks between the two has been a challenge for politicians and policy makers.
In 2015, a successful challenge against the Safe Harbour agreement for transatlantic data sharing necessitated its hurried replacement by Privacy Shield. This also drove wider use of previously approved ‘model clauses’. Privacy Shield however shares many of the flaws of its predecessor and the introduction of the US CLOUD Act along with ongoing US surveillance has led to diplomatic criticism of the US by the EU and local authorities elsewhere. While doing its best to paper over the cracks the EU has demanding that the US take action. It has asked the US to appoint a permanent ombudsman and to provide adequate funding and resourcing for the Privacy and Civil Liberties Oversight Board (PCLOB). Underfunded and unable to exercise its oversight duties as the board had no quorum for 20 months, the PCLOB also hasn’t receive the information it is entitled to from the Intelligence Community, further hindering it in performing its duties.
Inadequate protections in the US and further challenges on the adequacy of both model clauses and Privacy Shield in the Irish High Court may well result in all of this being overturned, just as Safe Harbour was last time round.
There is also the risk that continued US snooping will also render US Cloud platforms potentially incompatible with GDPR. The unfavourable conclusions of recent Dutch and Swedish investigations, have been followed by the announcement an investigation by the European Data Protection Supervisor (EDPS) into software used by EU institutions, which may in turn lead to further investigations.
We are also seeing some policies that appear to be preparing the ground for Europe to gain data and technological sovereignty, with rigid borders and boundaries for cloud operations seen by some as a reality in the near term.