Coming soon: Privacy Shield Version 2

14497_graffitiHere’s 1) an update on Privacy Shield and 2) my views on what it means for international marketing.

What happened on Wednesday 13 April

WP29 Working group said: “We can’t recommend that the European Commission accept this version of Privacy Shield as it stands because:

  1. Several items that were specifically asked for have been addressed inadequately or ignored;
  2. The US security agencies still reserve the right to mass surveillance of data.”

The full text is available here.


The Reverberations

This result was expected by the privacy experts, but has been emotionalised by business and daily media on both sides of the Pond.

The most objective article I have seen so far is this by the IAPP: “WP29 says Privacy Shield needs improvements”.

Several – normally reputable – newspapers describe the situation as “international business is in limbo”. I find that inaccurate and misleading because alternatives for data export exist.


The impact for international business

  • Remember: Safe Harbor is Sunk
    claiming it as the legal basis for exporting data about EU customers to the USA is asking for trouble: the end of the grace period for using Safe Harbor was 31 January 2016. (Data Protection authorities in Hamburg have announced they are actively preparing cases against international businesses in Germany that have not updated their processes.)
  • Binding Corporate Rules (BCR) are still valid
    details here:
  • Standard Contractual Clauses (SCC) are still valid
    details here:
  • Remember: Data export is only part of the picture
    once the data is exported to the US it has to be stored and processed to a level of protection “essentially equivalent” to that provided by EU law – and that takes effort.


Where does it go from here?

The European Commission asked the WP29 for an opinion and recommendation. It is not obliged to follow that advice.

My view? The Commission is going to upset somebody, whatever it does.

If the European Commission ignores the WP29 and uses the current Privacy Shield draft text as the basis of an agreement with the USA, the Data Protection Authorities will be deeply, professionally annoyed. I believe the DPAs may then actively look for test cases they can bring before the Court of Justice of the European Union (CJEU) to reinforce EU law.

In this scenario, the best course of action for international business may be to prepare for BCRs and SSCs to cover data export, while checking that all other Privacy aspects are squeaky clean. On the one hand, that’s an effort that might not be needed: against that is the combination (likelihood of risk x cost of sanctions). Tough call.

If the European Commission follows the WP29 recommendations to the letter, it will retain its credibility with the DPAs, but seriously annoy US government and its security bodies, not to mention vocal individual politicians (of all flavours) in national governments across the EU. This has the potential to become a stalemate without a workable conclusion. In this scenario, the subject is thrashed to death until we’re all totally blasé and bored with it.

I think this would make it hard to maintain privacy standards within international business. There will be a tendency to wait for a result on Privacy Shield (even if that takes months) rather than start implementing BCRs and SSCs. The business risk increases because of inaction, even though the laws and the penalties remain.

The middle ground? Perhaps the Commission has to realise it is not going to win the argument about the NSA this time around. The US government will not buy-in to foreign governments setting its security agenda – least of all in an election year.  However, it could achieve an honourable compromise by strengthening its determination on other issues. EU citizens would then receive a ‘health warning’ about using international data services “at your own risk”.

In my view this might actually be a good thing in the long run. Both sides can stay true to their principles (‘national security first’ for the USA / ‘individual privacy first’ for Europe). Best of all, international businesses have a clear set of rules and a self-certification method with low overhead, to keep the wheels of industry turning.

Leave a Reply