The EU/US data privacy divide - a series of subtexts for the Trump administration
- Summary:
- The data divide between the EU and the US doesn't just consist of the Privacy Shield problem as Justice Commissioner Věra Jourová warned the Trump administration.
As we noted last week, when European Union Justice Commissioner Věra Jourová headed off to Washington to meet with Trump administration officials, the main talking point was expected to be the parlous state of the so-called Privacy Shield data transatlantic data transfer protection.
European Commission officials had talked up the tough stand that Jourová would be taking, seeking assurances that the new President and his team would hold firm on the agreement, even as European legislators called its robustness into question.
Sure enough, Jourová returned to Europe after a series of meetings, including with US Commerce Secretary Wilbur Ross, to tell Bloomberg that she felt that she succeeded in her mission:
I have to come back to Europe with such assurances and to continue working on keeping the privacy shield running. I can say I have positive feelings. I spoke to Mr. Ross, I spoke to the American Chamber of Commerce and representations of various businesses, and I had a very good feeling. At this moment I am quite positive, but of course we need to get more information on how the Privacy Shield is functioning.
What is interesting is how Jourová went out of her way to frame Privacy Shield as only one part of a wider transatlantic debate between the EU and the US. In a keynote speech to the Center for Strategic and International Studies, the data transfer agreement was the last thing to be mentioned, with the Commissioner choosing to begin with the War on Terror.
Jourová noted that her previous visit to Washington had come shortly after the Paris terror attacks in 2015. Now, her 2017 visit came in the wake of the attack on Westminster Bridge. she observed. These were two attacks on “democracy, our way of life and our values of tolerance” that illustrate the need for common dialog and understanding between the EU and the US, she said.
But - subtext alert! - not at any price:
More than ever, we need to co-operate and protect our respective citizens from common security threats. But in doing so, we need to reconcile security interests and upholding fundamental rights.
The first part of that statement will play well with the hawks in Washington; the second part, perhaps will ring a few alarm bells. In order to bridge the gap between the two, Jourová pointed to the EU-US Umbrella Agreement, which came into force on 1 February, shortly after Trump’s inauguration.
Jourová pitched the Agreement as necessary to protect personal information exchanged as part of law enforcement cooperation, including information on suspects and convicted persons, but also innocent victims and witnesses:
[This]…is a big improvement compared to the past situation when our information exchanges were subject to fragmented and often weak protections, which caused legal uncertainty and exposed them to legal challenges. With the Umbrella Agreement, we now have a common transatlantic privacy framework based on high standards.
Subtext alert 2 - so don’t touch it, Mr President! Or as Jourová put it:
Now that this major agreement has entered into force, we must ensure that it is fully and effectively implemented - on both sides of the Atlantic.
Hate speech
Trump and his team are likely to have been pleased by the tough tone Jourová took on the topic of online hate speech and the role - and responsibilities - of internet and social media platform providers. Trump has made no secret of his anger at what he perceives as lack of co-operation from the likes of Apple, while the Department of Justice is still hellbent on winning the right to access data held on servers not on US soil.
Jourová wasn’t as outspoken as Trump has been, but she did make the right noises:
I want the Internet to remain a place of free and democratic expression, where the law is respected. The rule of law must apply online, just as it does offline. In May last year, I agreed with Facebook, Twitter, YouTube and Microsoft on a Code of conduct to counter illegal hate speech online. These IT companies committed to review and assess most of the notifications of illegal hate speech in less than 24 hours.
But to date, the success of this is open to question - and it does fall short of the Trump administration’s demands for access to personal data. Jourová would only commit to further information by the end of May on the effectiveness of this voluntary code, but admitted:
A lack of progress may challenge the effectiveness of self-regulation in this area and may increase the pressure to legislate.
Finally, the elephant-in-the-room got the attention the audience had been waiting for. Jourová began by welcoming the fact that over 2000 US companies to date have signed up to the Privacy Shield and emphasised that she sees this as reffirmaton of shared values between Europe and the US.
But - (not such a) subtext alert 3 - there’s reason for concern about whether the Shield agreement is going to hold up and the uncertainies reach all the way up to the White House.
Jourová warned that decisions taken in Washington and by the President himself will determine the future - or fate - of Privacy Shield:
For instance, there would be no Privacy Shield without Presidential Policy Directive No 28 and the Ombudsperson. Both are central elements of the representations and commitments on which the framework is built. And [the EU] will also follow closely this year’s debates around the reform of section 702 FISA and how this will affect the data of Europeans.
Section 702 of the Foreign Intelligence Surveillance Act (Fisa) authorised spy programs like Prism and Upstream. It is due to expire at the end of 2017, unless reauthorised by Congress. The Trump administration is expected to support its reauthorisation, which would put it on a collision course with Brussels.
Away from the White House, Jourová also emphasised that there’s a need for Privacy Shield to be seen to be working and for its terms to be enforced:
Companies have to comply with their obligations and this needs to be reflected in their daily operations. And the public authorities that oversee the Privacy Shield, both here and back in Europe, have to monitor such compliance and help individuals exercising their rights.
To that end, she confirmed that she’d agreed with the US Commerce Secretary that there should be a joint review of Privacy Shield in September. That rather presumes, of course, that the initiative will survive earlier review this summer by EU legislators…
But Jourová had to leave the US on an upbeat note, so her conclusion, for now, is:
Transatlantic data flows have come a long way. The Umbrella Agreement and the Privacy Shield will benefit our citizens and businesses, provided they continue to be properly and fully implemented.nI have come here to engage with my new counterparts in this spirit. I am happy that we have made a positive start this week and reaffirmed our common commitments.
My take
As predicted last week, the message to the world on the back of this mission to Washington was inevitably of a ‘glass half full’ nature.
That’s politics for you - and certainly having an European offiical going in sabre-rattling against the new Trump administration would be unlikely to achieve any positive effect.
And Jourová’s measured subtext-ing tone was a welcome change from the at-times rabidly anti-US-sounding rhetoric from former Commissioners, such as Vivian Reding.
That said, I still don’t give Privacy Shield much chance of survival, although I reckon it will be the Europeans who’ll finish it off before anyone in the US gets a chance to. As Jourová noted:
We don’t have much time and we will do a lot of work by September. All of us have some homeworks.