Legal expert says long-term prospects for replacement data sharing agreement between EU and US increasingly uncertain in current regulatory climate
A Google appeal against a Philadelphia court judgement requiring the company to allow government access to data it holds on servers outside the US could mark the beginning of the end for the already under pressure EU-US Privacy Shield agreement that was introduced last year.
The Privacy Shield had been devised to set out clear safeguards and transparency obligations for US-based organisations processing data from EU citizens, ensuring their rights with regard to confidentiality in the States, impacting technology functions across the public and private sector.
It replaces the 'Safe Harbour' transfer arrangement that was invalidated by the European Court of Justice (CJEU) in 2015, although critics argue the new agreement could face a similar fate without clearer safeguards. Ireland's High Court has commenced hearings this week, at the behest of the country's Data Protection Commissioner (DPC), to refer a decision on the validity of standard contractual clauses (SCCs) such as the Privacy Shield to the Court of Justice of the EU.
"Because the SCCs mechanism is established under a decision of the European Commission, only the CJEU can make a ruling to the effect that the mechanism is invalid," noted the DPC in a statement.
The agreement is also being challenged on the other side of the Atlantic, which could have significant impacts on the operations of major organisations that include cloud service providers such as Amazon Web Services and Microsoft.
Earlier this month, Philadelphia Magistrate Judge Thomas Rueter in Philadelphia reportedly concluded that FBI agents could transfer electronic data in the form of e-mails held by Google on a foreign server for review. The action was seen as not counting as a seizure of the information.
A spokesperson for Google said it would be challenging the ruling, which differed from other similar cases involving commercial rivals.
"The magistrate in this case departed from precedent, and we plan to appeal the decision. We will continue to push back on overbroad warrants," said a statement from the company.
It is understood that European data regulators that helped formalise the Privacy Shield could consider the Google court case as part of a wider annual review of the agreement and its functions.
The now defunct Safe Harbour remained in place for well over a decade. However, one legal expert argued that with the European Commission preparing for the first annual review of the Privacy Shield arrangement, Google's appeal is seen as putting further strain on the agreement that faces renewed scrutiny under a new White House administration.
Peter Wright, managing director for DigitalLawUK and chair of the Law Society Technology and Law Reference Group, said the judgement created further uncertainty around data protection and privacy commitments that could end up eventually being heard at the US Supreme Court.
He noted that previous court hearings on similar issues of data control involving Microsoft had not required the company to provide e-mails to authorities, with the Google judgement likely to set a precedent for ongoing legal action.
Wright claimed that Judge Rueter, in delivering the ruling may not have appreciated the "hornet's nest" he had stirred up around data issues and protection across national borders with the judgement.
Should the case about Google's ability to protect data held on foreign servers from scrutiny of US law enforcement bodies end up at the Supreme Court, he said a ruling in the company's favour may not prevent further judicial challenges of a company's rights to withhold information abroad.
"I have always viewed the Privacy Shield and Safe Harbour agreements as a sticking plaster for data protection issues. However, Safe Harbour did last 15 years. This just shows us the times in which we live," Wright added of the arrangement introduced less than a year ago.
Since assuming office last month, questions have also been raised over how the administration of President Donald Trump would seek to handle commitments and provisions under the Privacy Shield.
The president has already signed an order seeking to revoke protections in the country's Privacy Act for information held by the state on non-US citizens, with European data regulators studying the possible impact for companies signed up to the Privacy Shield. However, the Information Commissioner's Office argued that order was not thought at the time to have affected private sector bodies, with organisations still recommended to use the shield or other approved transfer schemes.
Wright argued that in his short tenure as president, Trump had not necessarily committed or held firm to orders or agreements introduced under previous governments.
The UK and GDPR in the long-term
From the longer-term perspective of the UK's data transfer commitments, similar challenges were seen for organisations and businesses wishing to transfer information globally.
While the country will be required to comply with incoming the European General Data Protection Regulation (GDPR) from 2018 until it formally leaves the bloc, it was not clear how it may proceed afterwards.
Wright argued that based on controversial powers to seize and access data based for national security purposes included in the country's Investigatory Powers Act, which was passed into law last year, there may also be concerns about meeting EU standards post-Brexit.
He said that while as an EU member, the country would be cleared to transfer data to other member states under the umbrella agreement, the UK may face much tougher scrutiny as an independent country outside of European court jurisdiction.