Skip to main content

Should We Wait for Privacy Shield 2.0?

Table of Contents

THIS ARTICLE WAS ORIGINALLY PUBLISHED ON WEBPERF.

The good news came on Friday. During Joe Biden’s visit to Brussels, the US president and European Commission President Ursula von der Leyen announced that an updated version of Privacy Shield would soon allow data transfers between the EU and the US again1.

Ursula von der Leyen
Source: European Union, 2022

For many people in Sweden and other EU countries, the past few years have been a legal nightmare. Since the introduction of GDPR, and even more so after Schrems I and II, the use of American cloud services has become increasingly uncertain from a legal standpoint. Or to say things more clearly, illegal.

Thanks to a data protection authority, organizations in Sweden had a little more breathing room for a while. This was especially true in the public sector, where desperate organizations waited a long time for clear guidance from SALAR before beginning to organize themselves into more informal consortia.

But in recent months it had become clear here as well that continuing to use Teams or Google Analytics was not sustainable.

So many people had probably been longing for an agreement between the EU and the US that would put an end to this legal nightmare. And now it is coming. Soon.

PRI-VA-CY SHIELD! PRI-VA-CY SHIELD!

Or…? Let’s take a closer look.

A statement that inspires hope…
#

Neither the European Commission nor the US president has been clear about when Privacy Shield 2.0 would be in place, but most observers have already warned that it will take at least a few months to conclude a new agreement.

Still, almost everyone is forced to be optimistic, because American cloud services sit behind such a large part of our digital lives. If this is resolved before autumn, perhaps it is not worth stopping the use of Google Analytics on the website. And surely it makes sense to start preparing the renewal of the Office 365 package for all municipal employees…

Imagine working at a public authority with stuffy lawyers who force you to keep using Skype for Business. Soon you will be able to switch to Teams and choose your own background.

But also questions…
#

Anyone familiar with the history of US-EU data policy has every reason to be cautious about this new chapter. From Safe Harbor to the awkward void that now governs data transfers between us, there have been many twists and turns. For more than ten years, the EU and the US have been negotiating in search of an agreement. The EU wants stronger guarantees that Europeans’ data, when processed by American companies, will not be subject to surveillance by US intelligence agencies. The US wants to preserve that capability. Despite all these negotiations, the US has still not made any compromise on that point. Quite the opposite2.

On top of that, Biden will have a hard time securing support for a political solution in which the US agrees to stop surveilling European data. There is no clear majority for legislation, and several people have expressed doubts that an executive order would be enough. You can read Arman Borghem’s excellent post on exactly that question.

Max Schrems
CC BY 2.0 Josef Weidenholzer (Wikimedia Commons)

Even Max Schrems, founder of NOYB, is doubtful that this new development will be the end of the story. In a new blog post, he says:

“We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move.

[…]

The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.”

The truth is that the odds of finding a lasting agreement are probably still very low, and in any case it will take time before one is in place and all legal challenges have been settled.

So what should we do?
#

Wait? Hope for the best? Or rather begin, or continue, the painful transition away from the convenient American cloud services?

To answer that question once and for all, we need to stop letting legal fear drive our organizations’ entire digital strategy and start thinking again about what is best for users and for society. We need a digitalization strategy that no longer pretends to be apolitical, but instead dares to be grounded in values: ethics, privacy, openness.

Decorative image of children with tablets
CC BY 2.0 Brad Flickinger (Wikimedia Commons)

For a regional authority, it should be obvious not to let Google know about its patients’ affairs. For a municipality responsible for thousands of schoolchildren, it should be obvious to make sure their personal data is not being surveilled by another state. Not because they risk fines from the Swedish Authority for Privacy Protection, but because it is the right thing to do. And of course the same applies to private services, if they truly want to act in their users’ best interests.

It is tragic that those of us working on digitalization in Sweden only started caring about privacy when this legal threat drew near. But it would be even more tragic if we stopped caring as soon as a new agreement arrives.

I am glad to see growing interest in eSam’s Digital Collaboration Platform, but I am also afraid that it will disappear as soon as the fear of making a legal mistake begins to fade.

This work is the most promising attempt we have had in many years to free Sweden’s public sector from the difficult lock-in it has placed itself in. And it is a chance to finally build a digital strategy for Sweden’s public sector that delivers what is best for Sweden and lives up to the principles of its democracy. We cannot let that go, even if GDPR stops feeling threatening.

Pierre Mesure
Author
Pierre Mesure
Digital activist working to improve democracy through openness, participation and innovation