Live. Die. Repeat. Is the 'Privacy Shield' deal stuck in a never-ending cycle of repeating the same mistakes like in the movie 'Groundhog Day'?

Steve Peers

While the USA is globally recognized, some of its customs remain perplexing. Take “Groundhog Day,” where the presence or absence of a groundhog’s shadow on February 2nd supposedly predicts six more weeks of winter. Beyond the USA, it’s more famous as a film where Bill Murray relives the same day, striving for perfection and Andie MacDowell’s affections. This concept has inspired others: Tom Cruise battling aliens and wooing Emily Blunt in Edge of Tomorrow, and Peter Capaldi’s efforts to breach a diamond wall and resurrect Jenna Coleman in Doctor Who’s “Hell Bent.”

“Live. Die. Repeat.”, Edge of Tomorrow’s tagline, encapsulates this idea. Groundhog Day, in particular, has sparked numerous analyses, with the most compelling being a Buddhist parable: endless reincarnation until enlightenment, or nirvana, is attained.

This brings us to the new EU/US privacy agreement, “Privacy Shield,” reached on, coincidentally, Groundhog Day. This latest version of the defunct “Safe Harbor” aims to establish a reliable framework for EU/US data transfers. Although specifics remain unknown, initial impressions suggest it might suffer the same fate as its predecessor, unless the Court of Justice of the European Union (CJEU) contradicts its own rulings. One wonders how many attempts will be needed for the US and EU to find harmony.

Flaws in the Agreement

The goal remains consistent: to create a legally sound set of regulations for EU/US data transfers for companies adhering to data protection principles. While alternatives like binding corporate rules or individual consent exist, their legal standing within the CJEU is untested. Naturally, businesses seek a smooth transition to a dependable framework. Does “Privacy Shield” deliver?

Without the complete text, a thorough analysis is impossible, but initial observations can be made.

The CJEU identified two major issues with “Safe Harbor”: the scope of mass surveillance in the USA and the inadequate legal recourse for EU citizens against it. While “Privacy Shield” seemingly addresses the latter with an “ombudsman” for complaints against the US government, it’s unclear if this new entity holds the authority to order data blocking or erasure to satisfy the CJEU’s concerns.

Moreover, there’s no indication of changes to the existing mass surveillance practices. Arguments defend the US system, claiming the CJEU misunderstood it, or pointing out similar practices in some EU countries. These points are detailed in a legal opinion summarized in a Financial Times article (paywalled).

Having initially avoided involvement in the Schrems case, Facebook and the US government presumably regret that decision. They are expected to fully participate in future litigation, hoping to convince the CJEU to reverse its stance.

What are the odds of success? The CJEU increasingly appears willing to reinterpret regulations or its own case law to preserve the EU project. Examples include support for controversial measures to maintain monetary union in Pringle and Gauweiler, limiting EU citizens’ access to benefits in Dano and Alimanovic to address public unease, and signaling a potential shift on detaining irregular migrants in Celaj amidst the ongoing crisis. The proposed UK renegotiation deal even assumes the court would reconsider free movement case law to prevent a UK exit from the European Union.

The CJEU once evoked Rome, uniformly governing a vast empire. Now, it resembles Dunkirk, desperately seeking a final stand against an imminent threat. Where it once paved straight paths, it now takes shortcuts.

Given the potential for legal challenges to “Privacy Shield,” its fate likely rests with the CJEU. Time will reveal the judgment’s place within the broader context of EU law.

Photo credit: play.google.com

Licensed under CC BY-NC-SA 4.0