Last week in Amsterdam, privacy regulators, practitioners and academics gathered for the 37th annual International Data Protection and Privacy Commissioners Conference. It’s no surprise that the discussion at the event was overshadowed by the recent decision of the European Court of Justice (ECJ) in the Schrems case, invalidating the EU-U.S. Safe Harbor and pulling the carpet from under the feet of not only 4,400 companies who have relied on it for day-to-day business activities, but also of dozens of regulators engaged in overseeing it.
In the days leading up to the conference, the head of the Article 29 Working Party was quoted as saying, "No one wants data transfers to stop completely, but neither does anyone want information on European citizens, who have certain rights under our laws, to be completely without protection when they leave Europe." If a correct quote, it is certainly an overstatement, since to suggest that U.S. law leaves individuals’ personal data “completely without protection” is to ignore what remains one of the most elaborate and comprehensive privacy regimes in the world.
Not only does U.S. law provide layer upon layer of federal and state regulation, industry best practices, activist advocacy groups and a vibrant academic and media debate, but it also harbors a dynamic reality of privacy on the ground. This includes more than 20,000 information governance professionals whose daily tasks include data classification, de-identification, security, vendor management, ethical review processes and more. Their work has recently been heralded in a book by Berkeley Profs. Deirdre Mulligan and Ken Bamberger and documented in our 140-page IAPP-EY report.
On the first day of the Amsterdam conference, a group of German state regulators issued a stern statement, announcing they would cease to authorize those data transfers to the U.S. based not only on the invalidated Safe Harbor but also on standard contractual clauses and binding corporate rules. Interestingly, the regulators did not repudiate the use of these same mechanisms in data transfers to countries like China, Russia or the United Arab Emirates, apparently implying that those countries’ practices are more democratic, transparent and privacy protective than those under U.S. law.
In similar vein, in the conference’s concluding session, the Moroccan privacy regulator, host of next year’s annual conference, announced he would hereinafter review data transfers from Morocco to the U.S. on a case-by-case basis to ensure U.S. data recipients abide by the standards of Moroccan data protection. The irony of this statement, coming from an official of a country whose level of freedom ranks between that of Honduras and Kuwait, was not lost.
The ECJ decision and its progeny, statements by national privacy regulators, seem to create straw man arguments—“The U.S. has no privacy protections,” “the NSA conducts unfettered surveillance”—only to then treat them as axiomatic statements of fact. Alas, at this point, the regulators and courts involved in the Schrems proceedings have yet to conduct a thorough factual assessment of corporate data transfer practices, access by U.S. intelligence agencies, or safeguards under U.S. law. Rather the questions debated have been strictly legal—the relationship between a national regulator and the European Commission; the status of a Commission decision in light of constitutional changes in the EU—and based on fragile factual foundations.
Ironically, if an “equivalence” test were implemented, as called for by the ECJ, European Member States would have to ratchet up their privacy protections to meet U.S. standards. Compared to the U.S., with the Fourth Amendment, FISA, ECPA, a series of Executive Orders as well as executive oversight committees empowered to review classified materials and call for extensive reforms, Europe has precious little surveillance privacy law.
If anything, after a spate of terrorist bombings, Europe has veered toward ever more intrusive surveillance practices. In a recently issued report, the European Parliament has expressed scorn “at some of the recent laws in some member states that extend surveillance capabilities of intelligence bodies, including, in France … in the UK … [and] in the Netherlands.”
The takeaway is clear: Instead of playing a blame game, all parties to the discussion would benefit from adopting a different tone, working together to find common grounds in lieu of accentuating existing disparities.
Unfortunately, other important issues failed to find their way into the report.
First, despite being the basis for discussion for an international conference, the report focused exclusively on data flows between Europe and the U.S. To be sure, the two trading blocks command a large portion of global business, yet cyberspace knows no limits and the very same problems, including surveillance, trade regulation and trans-border data flows, plague activity in the APEC region, Latin America, Africa and beyond.
Second, perhaps reflecting the absence of privacy professionals among project participants (a couple of whom are former CPOs), the Privacy Bridges report fails to recognize the privacy profession as one of the bridges. This is disappointing, since as Trevor Hughes tweeted during the conference, “Let's not forget that bridges need bridge builders. Smart practitioners may be the most important privacy force.” Indeed, what better bridge is there between privacy cultures than the vibrant community of professionals that meet regularly, train, certify, publish and debate practical questions like how to better collect, safeguard, use and disclose personal information within companies, among business partners, across industries and national borders?
The Schrems Effect
Lawyers should arrange to send Max Schrems a generous Christmas present based on their end-of-year bonuses, which will no doubt be impacted by his work.
The ECJ decision has sparked a fury of form filing and contract signing by companies scrambling to establish a legal basis for what is a daily reality of trans-border data flows. Quite literally, the lights in many law firms have not gone off since the October 6 judgment. Cynics may question why companies feel hard pressed to immediately find a legal solution for a compliance risk that has thus far been very low. To date, European enforcement efforts have focused on household names like Google, Facebook and Microsoft.
More importantly, standard contractual clauses do not provide individuals even a speck of additional protection over the discredited Safe Harbor. To the contrary, while the Safe Harbor has operated against a backdrop of Federal Trade Commission enforcement, the instances where standard contractual clauses have been enforced, if any, have been few and far between. This, despite the fact that tens—if not hundreds of thousands—of standard clauses have been executed in practice, in each case creating a private cause of action for the individual data subjects involved.
It would be discouraging if 20 years after its inception, the European data protection regime rewarded rote form-filing and elevated contractual boilerplate over privacy on the ground. While expending corporate energy and compliance resources, these tools have done little to address privacy concerns.
photo credit: Dancing House via photopin (license)
If you want to comment on this post, you need to login.