Detlef Schmuck: Attempt to revive the Privacy Shield is doomed to failure.
Hamburg, 13 October 2022 – The latest attempt by the US government to put transatlantic data exchange on a solid footing in terms of data protection law is doomed to failure, predicts Hamburg-based data security expert Detlef Schmuck. He says: “As long as the US continues to disregard the European level of data protection as blatantly as it has done so far, there can be no stable legal basis.”
On 7 October, US President Joe Biden had signed the “Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities”. The order aims to revive the 2016 US-EU Privacy Shield agreement, which the European Court of Justice (ECJ) declared invalid in July 2020. To move this forward, the next step would be for the EU Parliament to pass an adequacy decision officially stating that the US provides a level of data protection equivalent to that of the General Data Protection Regulation (GDPR; implemented in Germany with the Basic Data Protection Regulation DSGVO).
“The resolution may come because it is politically desired, but factually the adequacy is simply not there,” says Detlef Schmuck: “Even after the latest Executive Order, the protection of personal data remains far behind the European level. The formulations signed by Biden are downright ridiculous.”
Detlef Schmuck: “Whoever classifies the latest Executive Order by US President Biden as data protection also believes they can catch water in a sieve.”
Thus, the latest US initiative continues to grant the authorities there the right to mass access to EU citizens’ data if national security is threatened or international financial crimes are uncovered or serious crimes are prosecuted or if – literally – “intelligence cannot be obtained by other means or the effort required to do so would be disproportionate to the result.” Detlef Schmuck analyses: “In view of these vague formulations, the US authorities will in practice always be able to invoke one of these criteria in order to obtain heaps of EU citizens’ data. Whoever classifies this Executive Order as data protection also believes they can catch water in a sieve.”
With regard to a complaints body where EU citizens can appeal against the handling of their data in the US and a court for disputes that is yet to be established, the wording of the latest Executive Order is just as vague, says Detlef Schmuck. He calls for more realism: “Anyone who has ever tried to argue with Microsoft, Amazon or Google about the use of their personal data has an inkling of how pointless future action against US authorities for data protection violations will be.”
European companies should under no circumstances let themselves be carried away by the new Executive Order to transfer personal data, even indirectly, to the US, warns data expert Detlef Schmuck. In his estimation, even if the EU Parliament approves the transfer, it will probably be classified as a gross violation of European data protection legislation.
Detlef Schmuck reminds: “Both previous approaches to a transatlantic data exchange agreement, Safe Harbor and Privacy Shield, have been overturned by the ECJ. Everything indicates that the European judges will not be fooled a third time by politically motivated formulations if the US authorities in fact continue to trample on data protection.” His summary: “European companies are still well advised to keep personal data consistently within the EU, German companies best within Germany.”
The expert appeals to politicians to promote technical measures for data protection that make it impossible for any authority to gain insight into the digital privacy of citizens. This includes a complete end-to-end encryption of data with a so-called zero-knowledge architecture. What sounds technical at first glance ultimately means that only the authorised owner has access to their data – no one else.
Since the operator of the data services also has no access keys to the customer data (“zero knowledge”), he cannot hand them over even on an official order. “What you don’t have, you can’t pass on,” Schmuck says laconically. He points out another increasingly important aspect: “Cyber criminals cannot capture the data in readable form with a zero-knowledge architecture either, because they cannot steal a key that is not there.