As I began to prepare this piece, people were waking up in Europe to the news that Donald J. Trump would be the next President of the United States. The shock was palpable. For those of us living in the United Kingdom, the news inevitably recalled a very similar shock when we learnt, on the morning of 24 June 2016, that 52 percent of those voting in a referendum had expressed a wish that the country should leave the European Union.
European businesses store vast amounts of personal data on servers controlled by U.S. corporations. Huge quantities of data on European citizens are transferred to the U.S. every second of every day. The question which will inevitably arise in the minds of millions of people in the EU is whether a Trump presidency poses any significant risks to the security of that data. Businesses will need reassurance that the legal validity of their existing data transfer mechanisms, on whatever basis they are constructed, is not placed at risk by this transfer of power.
There is no immediate answer to that question, just as there is no immediate answer to thousands of other questions which have arisen in the wake of the decision of the American people. It is clear, however, that the new U.S. executive will have a very different outlook on the world to the one held by the Obama administration.
Post-election comments from Trump have not given clear guidance as to which of his many policies he wishes to pursue with vigour, and which may receive less attention. Policy is being made on the hoof, just as it was during the campaign period. Some of his policies will directly affect EU citizens, such as his call for "a total and complete shutdown of Muslims entering the United States until our country's representatives can figure out what is going on." He has also attacked U.S. bureaucracy and wants to redesign the Department of Commerce so that all trade policy is subsumed into an American desk which will look after American interests as opposed to the interests of other countries.
This does not bode well for the Privacy Shield, which the Department of Commerce administers through its International Trade Administration.
Even before Trump’s campaign got under way, the legal basis for trans-Atlantic data transfers from the EU to the U.S. was under attack from within the EU itself. The Safe Harbor regime did not seem to be subject to adequate oversight from U.S. authorities, and there were concerns that U.S. intelligence gathering could put the data of certain EU citizens at risk. Max Schrems successfully challenged the legality of the 2000 European Commission decision which endorsed Safe Harbor, and both the Commission and the Department of Commerce had to work hard to find a replacement.
This new formulation is itself not immune from criticism. The Commission issued a formal Decision in July 2016 finding that the Privacy Shield ensured adequate protection for personal data, but only two months later Digital Rights Ireland applied to the European Court for an annulment of that decision on ten grounds. In the meantime the Article 29 Working Party issued a rather lukewarm statement about the decision, welcoming the fact that the Commission and the U.S. authorities had taken into account some of its earlier worries, but stating that concerns remained regarding both the commercial aspects of the Privacy Shield and the access by U.S. public authorities to data transferred from the EU.
The other common mechanism for data transfers are standard contractual clauses, which had remained largely problem-free until the Schrems decision put them under the spotlight. Schrems’s concerns arose out of transfers made by Facebook to its parent company in the U.S., and in a renewed investigation, the Irish Data Protection Commissioner has come to the preliminary view that an effective legal remedy is not available in the U.S. to EU citizens whose data is being transferred under standard contractual clauses in circumstances where it might be at risk of being accessed and processed by U.S. state agencies for national security purposes.
The prospect of a Trump presidency will only add to EU regulators’ concerns, as he seems to attach little value to international trade agreements of any kind. The Privacy Shield is at risk, as it relies in part on the legality of Executive Orders and Presidential Directives issued by Obama. Presidential Policy Directive 28, issued on 17 January 2014, imposes a number of limitations on signals intelligence operations. The Commission decision states in Recital 69 that this Directive is “of particular importance for non-U.S. persons, including EU data subjects,” and sets out extensively in succeeding recitals how the principles set out in Directive 28 demonstrate that the collection of intelligence data is targeted and proportionate.
The trouble is that the President-elect has stated that he will overturn every Executive Order made by President Obama, and one has to assume that Presidential Directives are at risk also. If this were to occur, without a satisfactory replacement for Directive 28, the legal justification for the Privacy Shield would collapse.
At the moment, the outlook for both the Privacy Shield and the standard contractual clauses is rather bleak. Binding corporate rules can incorporate legal redress mechanisms in order to remove the defect, which imperils standard contractual clauses, but no data transfer route will be effective if the laws in the destination territory do not guarantee adequate protection for personal data. The current Data Protection Directive states in Recital 57 that “the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited,” and there is a mechanism under Article 25 for the Commission to find that a particular territory does not provide such protection – a procedure which has not been used up to now.
If there is good news here, it is that Mr Trump has never seemed overly concerned with privacy as a key issue, being neither a strong advocate nor a detractor. He has so many other potential initiatives that one must hope that attention to them will not give him the time to undermine the legal bases of international business. Authorities in the EU will be highly cautious, but are unlikely to take precipitate action to question the validity of existing international agreements unless and until there are dramatic policy and legislative changes in Washington.
Not much is predictable, and we must wait and see.
What we must come to recognise, both with Brexit and the U.S. election, is that people living in democratic societies have differing understandings of the value of fundamental human rights. What to one person may be a serious invasion of privacy may to another be a necessary action to preserve collective security. It may simply not be possible, in the foreseeable future, to have worldwide agreement on data protection principles which are fully based on the Continental EU model. That may face EU authorities with a conundrum – can they forbid everyone from sending data to the U.S., simply because the U.S. may not play by EU rules? Or should the EU rules themselves be relaxed?
We are not quite there yet, but this may be a challenge for the next decade.
photo credit: Gage Skidmore Donald Trump via photopin (license)