Europe to Trump - clean up your Privacy Shield act by September or we’ll do...what exactly?

In a entirely unsurprising, but still significant, development, the European Parliament has put the transatlantic Privacy Shield arrangement on notice with a firm message to the U.S. - put your house in order within 2 months or the deal’s off!

Long-time readers will know that diginomica has dubbed Privacy Shield, the hastily-cobbled together replacement for the long-standing Safe Harbor data transfer deal between the U.S. and the European Union (EU), to be little more than lipstick on the proverbial pig.

Even the European Commission’s own data protection working groups have slammed it as inadequate, while the U.S. authorities have make token noises about its importance, while failing to follow through on critical requirements, not least the appointment of an ombudsperson states-side to act as gatekeeper.

Yesterday patience ran out on the EU side of the pond as the European Parliament adopted a resolution calling for the suspension of the Privacy Shield agreement unless the U.S. administration takes urgent action to meet its obligations.

The resolution says that the Parliament does not see Privacy Shield in its current form as providing an adequate level of data protection required by the EU and states bluntly that:

unless the U.S. is fully compliant by 1 September 2018, the Commission has failed to act in accordance with Article 45(5) GDPR; calls therefore on the Commission to suspend the Privacy Shield until the U.S. authorities comply with its terms.

For the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), chair Claude Moraes said:

While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the U.S. authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR (General Data Protection Regulation).

And Trump cares...why?

How important is this? Well, it may just be a comfort blanket, but Privacy Shield is currently adopted by more than 4,000 companies which transfer data between the EU and the U.S - including the likes of Facebook, Microsoft, Amazon, Salesforce et al. So a suspension or a complete collapse would be bad news. Of course transatlantic data flows wouldn’t simply stop, but the whole debate about privacy and security and safety would be re-opened and all the antagonisms aired again.

Certainly the U.S. Computer and Communications Industry Association lobby group is concerned. CCIA Europe Senior Manager Alexandre Roure says:

We take note of today’s non-binding resolution with its suggestions to further improve Privacy Shield ahead of the September review. Several improvements have already been made following extensive and ongoing cooperation on both sides of the Atlantic. We caution against calls for a rushed suspension of this arrangement. Privacy Shield has extended EU privacy standards globally while safeguarding international data flows which European firms and Europe’s economy rely on.

How likely is it that the Trump administration will suddenly prioritise making the necessary fixes? Well, given the propensity for Trump to tear up - and threaten to tear up - international treaties left-right-and-center, how much concern is likely to be afforded to Privacy Shield?  Bear in mind also that the EU is now, according to the Trump doctrine, a group set up to fleece the U.S. and one that is the target of a tariff-led trade war, it’s also safe to assume that the current state of transatlantic diplomatic relations isn’t likely to help here either.

There’s good reason to believe that the U.S. might just call the EU’s bluff here. The European Parliament’s resolution is non-binding. It’s up to the European Commission (EC) to take action - ie: the Eurocrat career civil servants, not the headline-seeeking politicos.

While the deadline given here is September, the critical date to look out for is really October, when the second annual review of Privacy Shield is due to take place. If the Commission blinks and decides to sign the mechanism through for another year, Washington can basically keep on its current path. That’s a gamble that is likely to be felt worth a roll of the dice.

And the unanswerable question for the EC is, what do we replace Privacy Shield with if the threats are followed through with? With that in mind, it’s hardly surprising then to find the Commission spinning a ‘progress has been made, but work to be done’ party line after the vote in Parliament.

My take

I’m getting to sound like a stuck record on this subject, but if both sides had actually bothered to stop grandstanding and do some work on this crucial issue before Safe Harbor ran out, then the bugger’s muddle that has ensued might not have occurred.

Given the current anti-EU rhetoric coming out of the White House, the chances of a threat from Brussels falling on open ears is preposterously unlikely. If anything, it’s more likely to become part of an early morning Twitter rant berating Europe as trying to stop America being made great again.

So does the EC have the nerve to pull out? I very, very much doubt it. We’ve been here before. The best we’re looking at here is some ‘look how tough we are’ posturing, a ‘must do better or else’ signing off of Privacy Shield for another year and the pulling around us all of an increasingly moth-eaten comfort blanket.

This can’t go on.