It’s that time of the year - Halloween, the Holidays and the by-now annual farce of slapping some more lipstick on the face of the pig that is the EU-US Privacy Shield.
Privacy Shield, as long term readers will know all too well, is the hastily-pulled- together PR-friendly replacement for the Safe Harbor transatlantic data transfer framework. Cobbled together after the deadline for coming up with a new framework had passed, Privacy Shield has been under fire as not fit for purpose from the moment it was signed, not least from Europe’s own data protection authorities.
But with billions of dollars/pounds/Euros of transatlantic business dependent on secure and private data transfer, noses are held and life goes on. Once a year, the European Commission sends officials to meet with US counterparts to review whether to prop up the house of cards for another twelve months. With no viable alternative in sight, the outcome of the review is a given, although the process does demand some futile grandstanding and empty threats from Brussels for domestic consumption.
This year has been no different. Both sides have congratulated themselves for ‘progress’ with the EU side making a few ‘recommendations’ that it wants to see the Americans take to ‘strengthen’ the deal. For their part, the Americans tolerate being told what to do by the Eurocrats, smile for the photo opp and go away to get on with their lives.
This year’s ‘could do betters’ includes a “further strengthening” of the re-certification process by reducing the amount of time it takes to tick the necessary boxes in the self-certification procedure. There’s also a call to expand compliance checks and the development of formal guidance on handling of HR data.
The Commission also wants to see the US Federal Trade Commission (FTC) step up its investigation in false compliance claims by companies. It says a lot about the teeth that Privacy Shield has that to date the FTC has taken enforcement action in a total of 7 cases of non-compliance in three years - and that’s acknowledged by the EC as “improved” performance!
But public impressions need to be maintained, European Commissioner for Justice, Consumers and Gender Equality Věra Jourová obliges with:
With around 5,000 participating companies, the Privacy Shield has become a success story. The annual review is an important health check for its functioning. We will continue the digital diplomacy dialogue with our US counterparts to make the Shield stronger, including when it comes to oversight, enforcement and, in a longer-term, to increase convergence of our systems.
Tucked away in the review is one call to action that’s of interest which is the Commission alluding to efforts to introduce a GDPR-style avatar at federal level in the US. This is a topic diginomica has returned to many times over the past couple of years and one which has attracted a lot more attention in both business and political circles, albeit with no visible sign of consensus to date and a lot of lobbyists cashing in.
But there are efforts underway to keep the topic on the national agenda, the latest of which is the proposed ‘Mind Your Own Business Act’, a bill drafted by Democratic Senator Ron Wyden and presented to the Senate last week.
It aims to give the FTC increased powers to fine companies and Wyden has Facebook firmly in his sights here. Earlier this year, he criticised the Commission’s $5 billion fine for privacy violations related to the Cambridge Analytica scandal as “a sweetheart deal”.
Wyden’s proposals are that companies should face fines of up to 4% of their total annual revenue for privacy violations with the option for tax penalties against companies if corporate leadership lies about their privacy protections. And for any CEOs that are economical with the truth about their data handling, Wyden wants jail time of up to 20 years to be the result. Wyden argues:
Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences. A slap on the wrist from the FTC won’t do the job, so under my bill he'd face jail time for lying to the government.
There’s a lot of overlap with GDPR in what Wyden is proposing. He wants to set up a national ‘do not track’ system so that US consumers can opt out of companies and online advertisers collecting and sharing their personal data, as well as allowing individuals to review what personal information companies do hold and with whom it's being shared and for what purpose.
As a sop to business, he’s also suggesting that companies should be able to produce a "privacy-friendly version of their product, for which they can charge a reasonable fee”, with provisions to ensure that low-income consumers on the Federal Communication Commission’s ‘Lifeline’ program don’t have to pay.
That last concession seems dangerously close to making privacy a commercial product - a luxury item? - but leaving that aside, Wyden’s on the right track here.
Unfortunately there’s about as much chance of the bill passing in its current form as there is Privacy Shield suddenly becoming fit-for-purpose.
That said, while the latest touch-up of the lipstick will certainly be approved by European Commissioners, there’s the ticking bomb of the Court of Justice of the European Union (CJEU), which will rule in the first half of next year as to whether EU citizens’ personal data can legally be shipped to the US. As part of privacy activist Max Schrems case claiming that the US does not sufficiently protect Europeans' data when it crosses the Atlantic, the CJEU has raised questions about the robustness of Privacy Shield.
If the Court decides that Schrems claims of inadequate protection are correct, then there isn’t enough lipstick around to paint over the blemishes on the face of Privacy Shield. An alternative would have to be found, which would take everything back to square one in a US election year. Yeah, good luck with that.