Privacy advocate Schrems: A ‘clean’ agreement with the US is hardly possible

Max Shrims with his nube organization Something like a European data protection code. The Austrian has sued Facebook several times over its handling of personal data and won the case. He also managed to get two agreements between the USA and Europe, according to which the handling of personal data was regulated, for their cancellation by the European Court of Justice.

One of the agreements was called Safe Harbor and was in force from 2000 to 2015. Its successor, called Privacy Shield, only lasted from 2016 to 2020. Shrims sued both agreements because they violated the privacy agreement in force in Europe.

US foreign citizens are almost data fair game

Either way, there was a fundamental problem that would remain even with a new agreement like the one planned by US President Joe Biden and European Commission President Ursula von der Leyen: In the US, there are mass surveillance laws that differentiate whether you are an American or not, as Schrems says in an interview with BR24. Concretely, this means that if you’re American, the data is more or less protected, and if you’re European, it’s not.

Data from foreign nationals in the United States can be evaluated in the national interest — a flexible formula, says Max Schrems. Plus, you won’t even have to a court agree to evaluate the data. Authorities can also perform x-rays of foreigners without appreciable suspicion.

For the average user, this probably isn’t a big deal. On the other hand, journalists, political activists, or people of certain religious affiliations can be quickly targeted by US authorities. Then there is “bycatch,” as Shrems calls it. So: If I have been in contact with someone in any way that US services find suspicious, I will also be digitally scanned.

Data sharing between the US and the EU is currently illegal

Although there are currently no data protection agreements in place, data is still exchanged with the USA. In some cases, this is completely legal, because the European General Data Protection Regulation (GDPR) contains exceptions for absolutely necessary data traffic.

In most cases, Sharmas says, it’s all about outsourcing. This means that European companies send their data to US cloud services (such as Amazon Web Services, Microsoft Azure, and Google Cloud) because they are cheaper or more practical – but not necessary. According to Sharms, this data traffic is currently illegal and should not actually occur. Everyone involved is just hoping that things will go well and they will not be sued directly.

Currently, there is no escaping the dilemma

Therefore, the EU Commission and the US government absolutely want to find a regulation to create a legal basis, so to speak, for the exchange of data with the US that the economy desires. So what should Europe do better in the third attempt at such an agreement with the United States? “The EU cannot do better because we are clashing on a very principled basis,” says Max Schrems, which means the legal systems on both sides of the Atlantic are incompatible with each other.

In the European Union there is a basic right to data protection and in the United States there are surveillance laws. However, in Europe, there does not seem to be a majority in favor of repealing the General Data Protection Regulation (GDPR). The Biden government gets hardly any laws through Congress, and certainly not a reform of surveillance laws — which is also controversial among American politicians, according to Sharmas. In this case, there are now two parties that cannot move towards each other.

“And now they’re trying to tie that together with the solutions sticking together like duct tape.” Max Shrims

The result is likely to be a new temporary solution. Thus, the data protection official is already preparing for the next round before the European Court of Justice.

Legal action will also be taken against the new Privacy Shield

Max Schrams believes that the new regulation will almost inevitably be built in a legally unclean manner. However, the European Court of Justice will not tolerate this. According to Sharms, there will be enough people to file a lawsuit against the new “Privacy Shield Agreement.” Sharmas reports that several lawyers wrote to him because they were angry at the actions of the European Union Commission. There is still no concrete text on what the new agreement will look like. Joe Biden and Ursula von der Leyen only agreed on some kind of declaration of intent. Shrims expects a fully drafted text in the fall and confirms his willingness to appeal to the European Court of Justice himself again.