In light of the recent US elections, paving the way for a
Trump presidency in 2017, why should companies take the risk of adopting the
Privacy Shield as a means of legitimising EU/US transfers?
Frankly, I wouldn't bother.
Not until the latest set of legal challenges has been
resolved, anyway.
Why?
Well, a recent lunch with a chum who is closer to the
minds of the policy-making and legal elites within the EU reminded me of the
deep cultural divide that exists inside the Brussels bubble. “Fortress Europe”
is the phrase that springs to mind, with a deep unwillingness on the part of
the European institutions to accept that other views can quite legitimately be
held by actors outside that fortress.
I’m a little worried at how quickly the relations are
likely to sour between the UK and the European Institutions, post Brexit. I
used to predict with confidence that, post Brexit, representatives from the ICO
would be invited to observe the meetings of the (by then) European Data Protection
Board, the successor to the Article 29 Working Party. And, that the ICO’s sensible
and pragmatic advice would continue to be appreciated by the working groups
that will be set up by the Board. But
I’m not so confident now.
My chum had an alarming tale to tell about the way the
European institutions maneuvered to impede the work of some of the European
groups they were involved with – because the project wasn't wholly within the
European Commission’s control. Later, I learnt a little more about the basis on
which the Commission decided that certain non-EU countries had “adequate”
levels of data protection. Enough said. I won’t reveal any more details.
But the impression I was left with was that the European
Commission acts when it is politically expedient for it to act. It either
leads, or follows, public opinion. In terms of the General Data Protection
Regulation, I think its fair to assume that it’s leading public opinion. After
27 years in this game, I still struggle to meet many members of the public who
are as obsessed with privacy as those that devised the GDPR. And I’ve met fewer that
have the mental capacity to understand such a complicated Regulation.
So, given a US President –elect with an “American First” agenda,
what is the likelihood of EU judges agreeing that the Privacy Shield provides
adequate protection against whatever today’s American bogyman is?
Regardless of the comforting words muttered by some of
Europe’s elite, congratulating Donald Trump on his achievement, I sense the
tectonic plates shifting again, with Fortress Europe building ever stronger
protections against those oiks who see themselves at nationalists, rather than
Europeans.
I sense that, post Brexit, most European institutions will
be giving the Brits the cold shoulder as we try to engage with European businesses – while the Americans will
face a much frostier reaction.
And I suspect that one of the battles will rage around the
EU–US personal information flows.
I suspect that well intentioned Europeans will redouble
their efforts to prevent EU citizen’s personal data being transferred what they
perceive to be an evil empire - despite
the heroic efforts by both sides to agree a framework that was more reassuring
than Safe Harbor.
And I suspect that the EU courts may find some sympathy
with their motives.
So, we are due a fierce fight about the legitimacy of
the Privacy Shield. It ain’t court proof, and I’m awaiting with some degree of
unease the result of the legal challenges that have already been made, and, no
doubt, the result of further legal
challenges that will come.
My advice to data controllers who worry about such issues today is simple: Sit tight, rely on the current European Commission-approved model
clauses to legitimize your EU/US data flows, wait for them (in turn) to be denounced by
the European courts, and then wait several months before the European
Commission decides what form of legalese really does need to be incorporated
into the contracts. And then act.