We are patient...but cannot be patient forever.
With those words, the European Union’s Justice Commissioner Vĕra Jourová seemingly fires a none-too-subtle warning shot in the direction of the Trump White House regarding the so-called Privacy Shield transatlantic data transfer framework. But in reality, is there really any appetite for action beyond the rhetoric?
Privacy Shield was the hastily cobbed together ‘replacement’ for Safe Harbor, which was itself shot down by years of haranguing from Jourová ’s predecessors and finally killed off by the European Court of Justice (ECJ) two years ago.
Despite having had years to work on a viable alternative, the Eurocrats and their US counterparts had failed to get their acts together and the end result was an after-the-deadline fudge in the form of the Privacy Shield.
This has allowed over 2,400 US companies to make all the right noises about non-US data being able to be sent safely to American data centers, but has been ferociously criticised by data privacy experts on both sides of the Atlantic, not least by the European Commission’s own data protection working group!
This week sees the first formal review of the arrangement as Jourová and colleagues set out for Washington to meet with US officials with a view to shoring up the deal. The big problem is, as has been long predicted, this doesn’t seem to be something that’s high up on the Trump agenda. As such, key elements aren’t getting the attention they need, beyond some diplomatic blandishements.
For example, a critical element of the Privacy Shield arrangement was to be the appointment of an Ombudsman at the US end to whom concerned EU citizens can appeal for assistance if concerned about any data transfer related matter. This Ombudsman is intended to be the safety net for non-US bodies to turn to, a safe pair of hands on the ground who can mediate in a crisis.
But no such full-time person has been put in place by the Americans - and with hundreds of as-yet unfilled posts in the current US government, it’s not likely to be a priority to deal with. (There’s a stand-in official keeping the seat warm in the shape of Judy Garber, acting assistant secretary in, er, the Bureau of Oceans and International Environmental and Scientific Affairs.)
America First, data privacy last?
What’s changed of course is the advancement of the America First agenda. Privacy Shield was hastily thrown into place under the Obama administration. The more protectionist outlook of the Trump regime isn’t something that’s helping with Privacy Shield and, according to the Eurocrats, is actively a problem.
On the eve of her visit to the US to meet with officials - and have a phone call with Commerce Secretary Wilbur Ross (!?!) - Jourová bluntly told reporters:
'America First' was understood by everybody to present a potential problem with regards to the Privacy Shield and data protection. It was a kind of wake-up call. We need to check that 'America First' does not mean 'America Only'. And we have to make sure that it is understood that the Privacy Shield is intended to protect privacy, security and also to uphold the interests of the businesses – not just American businesses, but also EU businesses. So we have to be careful what 'America First' means.
But while the Europeans are fretting about whether enough attention is being paid to, and action being delivered on, making Privacy Shield work, all the indications are that the White House doesn’t understand what all the fuss is about.
So while Jourová ups the rhetoric and calls this week’s formal review “a moment of truth”, White House Press Secretary Sarah Sanders is phlegmatic, telling reporters:
We firmly believe that the upcoming review will demonstrate the strength of the American promise to protect the personal data of citizens on both sides of the Atlantic. This first-of-a-kind event brings together the expertise and resources of seven Federal agencies, hundreds of industry representatives, and other stakeholders to demonstrate the value and integrity of the Privacy Shield, which has noticeably improved transatlantic data protection practices.
The outcome of this first formal review is likely to be that Privacy Shield will have some more lipstick applied to the piggy - and that's about it.
For now, there's some formal wooly words from both sides in a joint statement:
The Privacy Shield raised the bar for transatlantic data protection by ensuring that participating companies and relevant public authorities provide a high level of data protection for EU individuals...The United States and the European Union share an interest in the Framework's success and remain committed to continued collaboration to ensure it functions as intended.
What will happen now? Well, the Eurocrats will issue some more tough words, aimed at the home audience, insisting that the Americans take this matter more seriously and that Washington should start to behave more like Brussels or else there will be trouble and er, more trouble, you just wait and see!
The Americans in turn will nod, say nice things about the importance of free flow of data across the Atlantic and promise to get round to that Ombudsman thing at some point…eventually…when they have a spare moment..anyway, leave it with us.
And that will be that.
Neither the US nor Europe can afford barriers to transatlantic data flow to be put in place. For all the posturing, the Eurocrats cannot afford for Privacy Shield to collapse at this point. It’s already facing legal challenges within the EU, in Ireland and France, that pose a threat to its ongoing existence. In addition, the EU wants to sign a similar EU/Japan Privacy Shield arrangement in the near future. If the US version falls to pieces first, what price that?
So when the report on the outcome of the two day review in Washington this week comes out in the latter half of next month, don’t expect there to be much (anything?) in it that’s going to rock the boat too much.
All of which will mean that the inevitable day when something has to be done to address the vexed question of transatlantic data transfer properly will just be pushed back a bit further. But it can't be put off forever. The big question is can something be done to give Privacy Shield some credibility before either the ECJ or Donald Trump kills it anyway?