Greetings from Barcelona!
I write from what is sometimes described as the "City of Dragons." Someone once counted more than 1,000 dragon depictions carved into the streets of this fine city. Little did I know that Barcelona shares with England, Saint George as its patron saint, or Sant Jordi, as he is known in Catalan. As a metropolis, Barcelona offers a great deal to the humble visitor, from the "modernista" splendor of Gaudi, to the medieval gothic quarter, down to the beaches of the Barceloneta and the magnificent parks where anything goes; diverse entertainment is guaranteed. Intoxicating to the senses, my admiration for this city only grows.
It has been a busy week for privacy, with the European Commission formally adopting the EU-U.S. Privacy Shield framework. Both Věra Jourová, commissioner for justice, consumers and gender equality, and Andrus Ansip, EC vice-president for the Digital Single Market, said the framework is a robust system and will protect the personal data of European Union citizens and provide clarity for businesses. Jourová went on to say “it brings stronger data protection standards that are better enforced, safeguards on government access and easier redress for individuals in case of complaints.” The belief is that the framework will also restore the trust of consumers when their data is transferred across the Atlantic.
Despite ongoing privacy controversy, namely in Max Schrems' latest court challenge to model clause contracts and BCRs, both Jourová and U.S. Secretary of Commerce Penny Pritzker are of the opinion that Privacy Shield had been designed to take into account the Court of Justice of the EU ruling in the Safe Harbor case, which gives them confidence that it will not be open to further legal challenges. That said, much will depend on the reactions from the Member State regulators. While the EC does not require the endorsement of the regulators, businesses will most surely be waiting to hear their reaction before deriving any real sense of comfort or market certainty. After all, the regulators have the powers to investigate regardless of any given adequacy decision; businesses will be seeking assurances and positive statements in that regard. The Article 29 Working Party has yet to give its view, but it meets on 25 July to address the Privacy Shield. Let us not forget, the WP29 has also yet to give an opinion on model contracts and BCRs; all three mechanisms — the holy data-transfer trinity — remain vulnerable to challenge, which is not ideal for business.
In other news, the U.K. has a new prime minister this week. Theresa May takes the helm of the Conservative Party and the country. Post-Brexit, one wonders what is to be expected. We are lead to believe that whatever the political eventuality, Article 50 will not be triggered this year. If it is triggered, the U.K. exit from the EU will most likely take years. In terms of privacy, the U.K. faces some hard decisions on the questions of the General Data Protection Regulation as well as the potential risk of non-participation in EU-U.S. trans-Atlantic data transfer deals, such as the Privacy Shield program.
It would appear that in the event of a full Brexit, where an independent U.K. is to renegotiate its trade arrangements, the U.K. would possibly have to negotiate a U.K.-specific Privacy Shield relationship with the EU, or obtain third-country adequacy status from the EC. In this scenario, the U.K. could come under a similar spotlight as the U.S. in relation to mass surveillance. Theresa May in her position as home secretary spent the best part of last year trying to push the Investigatory Powers Bill legislation — the Snooper’s Charter — through Parliament which would give the police and other agencies significant and updated powers to monitor the public’s communications. This adds to the complexity of navigating viable ways forward. I think it unlikely that May will dramatically back pedal changing her position. The downside is that the bill is perceived to strip the U.K. citizen's fundamental right to privacy as protected under the European Convention on Human Rights. It is opposed by activists and companies in equal measure.
The ICO in the meantime continues to support existing data protection laws, and states that the GDPR will have reach into the U.K. where business is selling direct to EU citizens. The ICO’s own precise role going forward will depend on whether the U.K. is in the European Economic Area or not.
Clearly Europe stands to lose one of the more moderate and pragmatic voices at the EU’s top regulatory table; not good for the U.K., and not good for the EU.
If you want to comment on this post, you need to login.