Remember a few months back when the European Commission got all stroppy with the US Government and issued it with a deadline to clean up its act around the Privacy Shield transatlantic data transfer deal?
Basically the Commission said that if the Americans didn’t meet their side of the bargain by September, the deal was off and Europe would do….something. It wasn’t clear what that something was going to be, but it was going to be a very tough something, a something that wouldn’t be forgotten!
Unsurprisingly Washington didn’t blink and the deadline came and went without any of the fire and fury from Brussels that had been threatened. In fact, the only response that came out was from the US Ambassador to the European Union who stated:
As we’ve told the Europeans, we really don’t want to discuss this any further.
With the current occupant of the White House openly characterising the EU as a bigger threat to the US than Russia or China, it took a particular streak of Brussels arrogance to have expected anything other than such indifference to be the result of the Commission’s posturing.
The US knows that Europe needs the Privacy Shield, the horrendously flawed, cobbled-together replacement for the long-standing Safe Harbor provisions, to hold. There’s nothing else on the table to put in its place to (supposedly) ensure the safe transfer of data across the Atlantic. So threats to walk away were always going to be regarded as empty ones.
The Commission’s ongoing commitment to fudging the issue continued yesterday with the publication of the results of the second annual review of the agreement - and Brussels is setting deadlines for the US again!
This latest bluster is demanding that the US nominates a permanent Ombudsperson by the 28 February or Europe will do something. It’s not clear what that something is going to be, but it’s going to be a very tough something etc etc etc. Actually the threat is that if the US doesn’t deliver on this, then the Commission will “consider” taking “appropriate measures in accordance with the General Data Protection Regulation.
Andrus Ansip, Commission VP for the Digital Single Market, states:
We now expect our American partners to nominate the Ombudsperson on a permanent basis, so we can make sure that our EU-US relations in data protection are fully trustworthy.
Brussels does have a point here. The appointment of an Ombudsperson is a key element of the Privacy Shield arrangement, but the Trump administration has failed to make a full-time appointment to the role over the past two years. There’s a Washington official who’s had parts of the role bundled into her job spec, which is principal deputy assistant secretary for the Bureau of Oceans and International Environmental and Scientific Affairs. (And she’s been nominated as the new US Ambassador to Cyprus now!).
It should be noted at this point that as of the present time, the acting Ombudsperson has had no requests for action, although a complaint for her attention has apparently been received by the data protection officials of the Croatian government.
But a deal’s a deal, so there’s justification when Commissioner for Justice, Consumers and Gender Equality, Věra Jourová argues that the ongoing lack of a responsible full-time Ombudsperson is a concern:
The EU and the U.S. are facing growing common challenges, when it comes to the protection of personal data, as shown by the Facebook / Cambridge Analytica scandal. The Privacy Shield is also a dialogue that in the long term should contribute to convergence of our systems, based on strong horizontal rights and independent, vigorous enforcement. Such convergence would ultimately strengthen the foundation on which the Privacy Shield is based. In the meantime, all elements of the Shield must be working at full speed, including the Ombudsperson.
Papering over the cracks
Other than this latest, probably futile, demand, the Commission has papered over the cracks for another year and given Privacy Shield marks for improvement over the past year. In particular, it highlights what it sees as more action on the part of the US authorities, taking credit for having driven them to this:
In line with the Commission's recommendations from the first annual review, the Department of Commerce has further strengthened the certification process and introduced new oversight procedures. In particular, the Department of Commerce adopted a new process that requires first-time applicants to delay public representations regarding their Privacy Shield participation until their certification review is finalised by the Department of Commerce.
Moreover, the Department of Commerce has introduced new mechanisms to detect potential compliance issues, such as random spot-checks (at the time of the annual review, such spot checks had been performed on about 100 organisations) and the monitoring of public reports about the privacy practices of Privacy Shield participants. In the search for false claims of participation in the framework, the Department of Commerce is now actively using a variety of tools, for instance a quarterly review of companies that have been identified as more likely to make false claims and a system for image and text searches on the internet.
As a result, more than 50 cases have been referred to the Federal Trade Commission since the first annual review took place.
I’m trying to picture the scene in the Oval Office.
“Mr President, we have a problem. The European Union’s Commissioner for Justice, Consumers and Gender Equality is threatening to consider appropriate measures in accordance with the General Data Protection Regulation!”
That’ll have him shaking in his shoes, eh?
So Privacy Shield limps on for another year, as it was always going to do. There’s no political will in Washington for anything to change and the Eurocrats can preen and posture and issue all the empty threats they like, but that’s not going to change.
It would all have been so much better to have done it right in the first place instead of playing a transatlantic game of dare and double-dare.