As policymakers in Washington and Brussels meet to discuss possible alternatives to the Safe Harbor in order to keep data flowing across the Atlantic, corporate privacy professionals are facing an immediate need to respond to the landmark decision in the Schrems case. Whether your company relied on Safe Harbor to transfer data for storage in the cloud, to process consumer orders, centralize HR administration, engage service providers or communicate with corporate affiliates, you now need a new solution, and you need it today. What do you do until the bigwigs hammer out a new deal for Safe Harbor 2.0? Execute dozens of model clauses? Engage pricey consultants to start your binding corporate rules? Rely on consent? Or perhaps lay low and wait for the storm to pass?
On October 6, more than 2,500 professionals registered to join an IAPP web conference featuring initial reactions on the day of the Safe Harbor decision. During that session, the IAPP received dozens of questions about next steps. We poured the questions into eight buckets, titled:
- What does the ruling do?
- What Now?
- BCRs and model clauses as alternatives
- Potential solutions
- Official responses and implications on foreign policy, and
- Policy and related issues
In this last of the series of five pieces, we feature answers provided to your questions by a panel of world-renowned experts. In this case, Toby Stevens, CIPP/E, CIPM, of Enterprise Privacy Group Limited, discusses "policy and related issues."
Have more questions? Our experts will be available to answer them in person at the IAPP’s GDPR Comprehensive, February 22-23 in Brussels. Join them there for a special training event, to learn the new framework that is set to arrive at the end of 2015.
The Privacy Advisor: This feels like the same void that was created when the Europeans enacted the EU Data Protection Directive. How is this any different?
Toby Stevens: The introduction of the EU Data Protection Directive was a critical business enabler for personal data transfers between member states which, until that time, had varied and often conflicting legislation. However, it was designed at a time when the web was still emerging, cloud services didn’t exist and Trans-Atlantic data transfers were uncommon, and as such, the Directive could not anticipate the complexity of aligning a comprehensive privacy model with the U.S.’ sectoral approach and the post-9/11 changes (most notably The PATRIOT Act). Safe Harbor was a legal sticking plaster to overcome those problems, but now it’s no longer recognized in the EU. We’re not dealing with something like the same void—it’s the original one. We’re back where we were 15 years ago.
The Privacy Advisor: Europe and the U.S. both have laws protecting the privacy of individuals. Europe and the U.S. also both have laws around the surveillance of individuals for law enforcement and national security purposes. And finally, the EU and the U.S. are allies in the fight against terrorism. What makes it so difficult for both sides to get along when it comes to privacy? Can this be explained solely from a legal point of view?
Toby: The surveillance revelations have exposed some fundamental tensions between the U.S. and EU that go far beyond legal differences: The perceived dominance of U.S. technology companies, concerns about imbalances in intelligence sharing between allies and the thorny issue of data sovereignty are all contributing factors. Unfortunately, resolving these problems may take much more than a legal agreement, and whilst Safe Harbor 2 might break the legal impasse, data sovereignty risks won’t go away until a more fundamental solution is found. Lawyers might be able to get the data flowing again, but it will need lawmakers to rethink the relationship between the continents and their governments’ intelligence intercepts.
The Privacy Advisor: All the press seems to put this as a response to the Snowden revelations and U.S. surveillance. How is this logic consistent when EU telecommunications companies work hand-in-hand with the EU national security apparatus, providing similar if not more data?
Toby: Snowden’s revelations reminded us that allies use their surveillance resources not only to collaborate, but also to gather intelligence on each other. Companies allegedly working hand-in-hand with intelligence services can give nation states an edge. The dominance of U.S. corporations for cloud infrastructure and social media, coupled with the unparalleled scale of the NSA and other U.S. intelligence agencies, means that EU governments simultaneously envy and fear the U.S.’ capabilities. The fact that many of those countries allegedly have similar capabilities, albeit on a smaller scale, has been of far less interest to the European mainstream media, and the public perception is that surveillance is a U.S.-centric operation.
The Privacy Advisor: Do DPAs actually get enough funding to do the kind of investigations that may now be required to conduct?
Toby: The varied funding and powers of European DPAs is a long-standing headache for European privacy. When corporations such as Facebook, Google or Apple have legal teams larger than DPAs, it is inevitable that an imbalance of power will arise. Until recently the Irish Commissioner’s office was housed above a small supermarket on the outskirts of Dublin, yet was expected to effectively manage the interests of the likes of Facebook throughout Europe.
This imbalance inevitably erodes public trust in the capability of the regulator. Whether it is true, if DPAs are accused of favoring enforcement against small companies where there is little chance of legal resistance, rather than major corporations that can tie up the DPA’s entire legal team, then the public are unlikely to trust in effective regulation.
The Privacy Advisor: How does the court ruling today stack up against the Microsoft v. U.S. government case concerning the PATRIOT Act?
Toby: Safe Harbor was created to deal with the specific challenges of PATRIOT. The outcome of Microsoft v. U.S. government could drive a further wedge between the two continents if the U.S. is granted access to that data, and leave U.S. companies in a legal dilemma of which country’s jurisdiction should be allowed to prevail. A win for the U.S. government in this case could be as damaging for international data transfers as Schrems v. Facebook.
Given the pressures that U.S. providers are under, it is little surprise that they are hedging their bets by expanding their EU presence—Microsoft, for example has just announced the opening of two UK centers.
The Privacy Advisor: What is the impact of point to point encryption if used by companies to prevent bulk collection of in transit communications by governments?
Toby: Point to point—or end to end—encryption is seen by some as a countermeasure to surveillance, and therefore a potential means to overcome some of the problems Safe Harbor tried to address. However, given the ECJ’s ruling, it is likely to be considered effective only when there can be no decryption at the U.S. endpoint, something which renders the passage or storage of EU information on U.S. soil of limited commercial value.
But some of the problem is home-grown in the EU. Individual nations—most notably the UK— are proposing mandatory back doors into end-to-end encryption to facilitate their surveillance operations. Apple’s Tim Cook has spoken out against the proposed Investigatory Powers Bill, and that could well be the most divisive data sovereignty dispute yet. Would Apple cave in and weaken its products, or could the UK ban Apple (and a host of other companies)? The next year’s developments will be very interesting indeed.
Looking for guidance on what data-transfer mechanism might work best for you? The IAPP Westin Research Center has created a tool that outlines the various mechanisms, who they fit best and some of their advantages and disadvantages.
If you want to comment on this post, you need to login.