Privacy Shield - it's impressive, but you may not see it that way
March 02, 2016
The new EU-US Privacy Shield is clearly the result of much hard work by civil servants on both sides of the Atlantic. It would be churlish to deny the effort that has gone into putting the Shield together.
Certainly the U.S. has moved a long way. Its team has rallied together an impressive group of big name public authorities to provide the props upon which the Shield scheme can be built. It has also given legislative legitimacy to the concerns expressed in Europe about the nature of the legal remedies for EU citizens whose data are accessed by U.S. surveillance and law enforcement agencies. Plainly, the U.S. side has Presidential support for their efforts. Anyone who understands the U.S. enforcement mentality will feel confident that the Federal Trade Commission (FTC) will actively enforce the Shield when breaches come to light.
Businesses will welcome the Privacy Shield, because it is intended to stabilise flows of personal data across the Atlantic, which have been destabilised by the U.S. surveillance system, as revealed by Edward Snowden and the resulting fallout. The word in the privacy community is that U.S. businesses have lobbied their government hard, to make the progress that Europe has sought. In our practice we speak to U.S. businesses every day and there is no doubt that there is huge goodwill towards the European privacy regime. And if we reflect for a while on the dispute that is playing out right now, about FBI access to the iPhone, it seems fair to say that the U.S. technology majors are much more aligned with privacy rights than against.
But what about consumers? Arguably, most people aren't bothered by Snowden's disclosures, or the fall out. Those who are most bothered, a relatively small group of privacy advocates, don't seem to be impressed by the Privacy Shield, judging by some of the higher profile initial reactions on social media and the web.
What about the EU regulators (the DPAs)? They will meet soon to discuss their reaction to the Shield. Their response cannot be fully predicted, but I expect it to be lukewarm. The court case that killed off the Shield's predecessor, Safe Harbour, has put the regulators on a sticky wicket. They are in a "damned if you do, damned if you don't" situation, because the court case has effectively told them that regardless of centralised EU decisions, they have to look at complaints about privacy breaches on their merits. Moreover, the Shield requires them to actively regulate complaints based around the Shield. Presumably, they won't want to appear overly enthusiastic at the outset, as that might draw criticism downstream from privacy advocates, to the effect that they have failed to apply a truly impartial mind to complaints. It would be in the DPAs interests to be circumspect and sceptical.
The Privacy Shield leaves open two really big questions.
First, if the privacy advocates are sharpening their knives and the regulators are snookered into being tough, why on earth would an entity actually embrace the Shield? Isn't that like turkeys voting for Christmas? Why not save on the grief and the heartache and simply go for Model Clauses, an alternative mechanism for data transfers that doesn't contain anywhere near the same level of complexity and risk, and leave it to the privacy advocates, regulators and the courts to thrash out the arguments about the legal quality of the Shield in their own time and at their own cost?
Perhaps part of the answer lies in the second question, which is what kind future do the other transfer mechanisms have, now that the Shield has been published?
The language of the draft Commission "Adequacy Decision" on the Privacy Shield arguably thrusts a dagger into the beating heart of the Model Clauses. They do not provide anywhere near the level of protection for privacy as the Shield. What is sauce for the goose is sauce for the gander. It's hard to see how Model Clauses can survive in their current shape. Surely they will need to be overhauled. If this is correct, then Model Clauses do not provide a long term solution.
But they do still provide a short and medium term solution. And that might be important for entities that want space to reflect, without the risk of being dragged into a Privacy Shield regulatory storm.
Yet there is no denying the inevitability of where we are heading. Data Privacy has been elevated to a matter of global importance, where the stakes are high. Whether or not you are bothered as an individual by what's happening to data, whatever your personal views on EU law, regulators, privacy advocates and judges, the die has been cast. No one can escape the all encompassing nature of Data Privacy. Neither the Atlantic nor a Brexit is able to insulate an entity from the demands of the law. This is perhaps the key learning lesson of the Privacy Shield.
The Privacy Shield is impressive. Perhaps this will be lost on some people with a myopic privacy vision. It is a startling victory for European data privacy law. Sure, it's not perfect, but neither are data privacy protections over here in Europe, which have always been more impressive on paper than in practice.
To find out more about how we can help address key data protection, privacy and optimisation challenges facing your organisation, please get in touch with one of our subject leaders.