The gap between U.S. attitudes to data protection and those of the European Union (EU) are under the spotlight again today as the Civil Liberties Committee of the European Commission (EC) calls for an ultimatum to be put to the American authorities to suspend the transatlantic Privacy Shield arrangement.
Privacy Shield is the hastily-cobbled together replacement for the Safe Harbor agreement that allowed for data transfer between U.S. companies, including enterprise cloud vendors, and EU customers. Safe Harbor was scrapped after growing pressure from the EC without any Safe Harbor II being put in place.
Privacy Shield was the PR response, allowing U.S. companies to put their names to it and ‘tick the box’ over privacy concerns. But from the start, Privacy Shield has been seen as a case of ‘lipstick on a pig’ with the Commission’s own data protection working party calling its robustness into question and in particular whether the U.S. administration takes it seriously. For example, the deal requires a permanent Privacy Shield Ombudsperson to be in place. No such appointment has been made.
The arrangement is subject to annual review and the first of these saw the EC call for reform of U.S. regulations, most notably around surveillance. None of the demands made have been met by the Trump administration in Washington.
And since then, Facebook’s antics have put an even tougher focus on data privacy policies by U.S. firms, while the introduction of the EU General Data Protection Regulation (GDPR) has seen a toughening up of the legal situation in Europe. (It’s worth noting that Facebook is a signatory to Privacy Shield.) In addition, the recent CLOUD Act (Clarfying Lawful Overseas Use of Data) in the U.S. has given police and security organizations access to personal data across borders.
Against that muddled backdrop, and with the second annual review approaching, the Commission’s Civil Liberties Committee has now called for Privacy Shield to be suspended if the U.S. doesn’t met all its terms by 1 September. In a statement, the Committee also calls for any companies that have abused data to be chucked out of the arrangement - no prizes for guessing who that’s aimed at:
MEPs call on the US authorities to act upon such revelations without delay and if needed, to remove companies that have misused personal data from the Privacy Shield list. EU authorities should also investigate such cases and if appropriate, suspend or ban data transfers under the Privacy Shield.
Civil Liberties Committee Chair and rapporteur Claude Moraes (S&D, UK), said:
The LIBE committee today adopted a clear position on the EU US Privacy Shield agreement. While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR
So, is that it for Privacy Shield? Well, maybe, but there are a number of complications. This was only a vote at Committee level and one that didn’t command a huge majority - passed by 29 votes to 25, with 3 abstentions. The text agreed now needs to pass a wider vote in the full House, probably in July. Expect furious lobbying in Brussels in the meantime.
Even if this becomes a formal call from the European Commission to the U.S., the mood in Washington is hardly friendly to (a) being told what to do by Europe - see G7 antics - and (b) putting tougher data protection regimes into place. While there have been calls by enterprise tech leaders such as Salesforce CEO Marc Benioff and his SAP counterpart Bill McDermott for ‘GDPR-US’, the Trump administration is no mood to play ball.
For evidence of the prevailing wind in the Whitehouse, look no further than the recent op-ed piece ‘written’ by Commerce Secretary Wilbur Ross for the Financial Times in which he uses GDPR as another weapon in a looming transatlantic trade war:
As currently envisioned, GDPR’s implementation could significantly interrupt transatlantic co-operation and create unnecessary barriers to trade, not only for the U.S., but for everyone outside the EU. GDPR creates serious, unclear legal obligations for both private and public sector entities, including the U.S. government. We do not have a clear understanding of what is required to comply. That could disrupt transatlantic co-operation on financial regulation, medical research, emergency management co-ordination, and important commerce.
The other complication is Brexit. While there’s been a clear shift towards U.S. cloud firms playing up their presence and future investment in France, the reality remains that the UK has traditionally been the first port of call for most when expanding internationally. That may or may not continue post-Brexit, but whatever the case, there’s a clear need for data protection alignment with Brussels to ensure free transfer of data.
The UK Government has stated that this is its objective and proposed a special agreement that would go beyond “the standard adequacy approach” that the EU uses with other third party countries. But data protection has become another negotiating sticking point, with Brussels’ main Brexit negotiator Michel Barnier adding it to the list of proposals from the UK that he’s rejected on sight. In a speech, he warned:
Brexit is not, and never will be, in the interest of EU businesses. And it will especially run counter to the interests of our businesses if we abandon our decision-making autonomy. This autonomy allows us to set standards for the whole of the EU, but also to see these standards being replicated around the world… We cannot, and will not, share this decision-making autonomy with a third country, including a former member state who does not want to be part of the same legal ecosystem as us....
Who would launch an infringement against the United Kingdom in the case of misapplication of GDPR? Who would ensure that the United Kingdom would update its data legislation every time the EU updates GDPR? How can we ensure the uniform interpretation of the rules on data protection on both sides of the Channel?
The United Kingdom needs to face up to the reality of the European Union. It also needs to face up to the reality of Brexit. The United Kingdom decided to leave our harmonised system of decision-making and enforcement. It must respect the fact that the European Union will continue to work on the basis of this system, which has allowed us to build a single market, and which allows us to deepen our single market in response to new challenges. And, as indicated in the European Council guidelines, the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision.
Nicky Stewart, Commercial Director at UKCloud, which only sells into the UK public sector and as such isn’t faced with the transatlantic concerns of other vendors, sees the various data privacy issues converging into a very complicated position:
Its not surprising that the LIBE has reached this position, given the Facebook / Cambridge Analytica scandal, and the recent U.S. CLOUD Act. Whether the Commission chooses to respond to the Committee’s request is another matter altogether. Nonetheless, this also sharpens the focus on UK/EU negotiations on post Brexit data-flows, and it certainly gives the Commission another lever.
Equally, the U.S. (Silicon Valley in particular) is becoming more vocal in its criticism of GDPR, which the UK is relying upon to guarantee continuity of dataflows between the UK and Europe post Brexit. GDPR is regarded as a form of data protectionism, and recommendations have been made to that Trump administration that the U.S. shouldn’t do trade deals with countries that practice it. There are interesting times ahead.
There are indeed. The Trump administration has shown no sign to date of being in any kind of receptive mood to play ball on any of this. Optimistically I want to hope that the cooler and more informed heads in Silicon Valley will be able to influence a more co-operative stance, but this is a Whitehouse that believes that it’s easy to win a trade war, so adding a digital/data front to that is all-too-likely.
The real problem here though is that Privacy Shield was just a Bugger’s Muddle, thrown together when the EC and the previous U.S. Government realised they’d spent so long playing ‘dare you’ to one another that a crucial transatlantic agreement had been burned with no viable replacement. If both sides had spent less time posturing and more time putting a constructive Safe Harbor II in place, at least some of the current situation would have been alleviated.
But it’s like the old joke - “How do I get from A-B?”, to which the answer is, “Well, I wouldn’t start from here.” Unfortunately we are starting from here - and that’s not a good thing, for anyone.