It is too early to identify with any certainty the winners and losers in the Privacy Shield process. With the Article 29 Working Party opinion on the Privacy Shield forthcoming in one week, there is a chance the agreement may not receive final approval, and there’s perhaps a greater chance that the EU Court of Justice will eventually kill the Privacy Shield on the same grounds as Safe Harbor. If that happens, it may be difficult to find another solution, a major crisis could result, and a different list of winners and losers emerge.
As written, however, almost everyone involved in the Privacy Shield process is both a winner and loser in some respect. Here is a preliminary scorecard for the some of those affected by the Privacy Shield.
U.S. Department of Commerce – The Department is a winner because it produced an agreement that its clientele in the American business community desperately wanted. However, the Department is also a loser because it now has to run a privacy program that requires considerable resources and has the potential to create conflicts with some of the businesses seeking to obtain the benefits of the Privacy Shield. The Department must build an infrastructure, procedures, assign staff, and take other actions to comply with Privacy Shield. It will be a significant undertaking that takes up time, staff, budget, and more.
U.S. business – American multinational companies – and especially Internet giants – are winners because they needed a replacement for Safe Harbor. They export data from Europe to the U.S. for a variety of legitimate purposes. While there are other ways to meet EU standards, all are expensive, cumbersome, and time-consuming. Further, full compliance with EU privacy standards (instead of the mixed bag of privacy standards that are part of Privacy Shield) would interfere with some business models. However, U.S. business is also a loser because the Privacy Shield requirements are stricter in important ways than Safe Harbor. Participants in the new scheme will need more notice, more contracts, more management attention, and more lawyers. Many companies currently in the old Safe Harbor may not join the Privacy Shield because of the added burden. Companies that sign up for the Privacy Shield will be likely to have a very good business justification for doing so.
EU consumers – EU consumers are winners because the overall privacy protections of Privacy Shield have the potential to be much better than that those of Safe Harbor. The substantive protections are enhanced, reflecting some advances in data protection in recent years. It is reasonable to think that US companies in the Privacy Shield will be more likely to comply with their promises. EU consumers will also have better remedies, should they choose to use them. EU consumers are also losers in a small way because the EU data protection establishment spent enormous time and resources on fixing Safe Harbor rather than paying attention to privacy shortcomings at home.
U.S. consumers – American consumers may be potentially better off because companies in the Privacy Shield are more likely to stop having two-tiered privacy standards, with better privacy protection for Europeans and lesser protections for Americans. A few larger companies have already come to the realization that it is better for all to apply the same reasonably high set of privacy standards to all their customers rather than pay the overhead of two sets of policies. American consumers may also benefit because more American companies might decide that the U.S. would be better off with a general-purpose privacy law applicable throughout the U.S. A general omnibus privacy law that meets EU adequacy standards would make Privacy Shield unnecessary. We are not holding our breath, however, waiting for passage of that law.
American consumers are also losers in the Privacy Shield calculus. The Federal Trade Commission spent enormous time and resources trying to satisfy the European data protection regulators on behalf of the American business community. While active on EU matters, the FTC could not fulfill its mission of protecting American consumers as well as it might have. There is one additional issue. The FTC promised to “give priority” to Privacy Shield referrals and to other Privacy Shield matters. This concerns us. While it is still too early to know exactly what this means operationally, will Europeans really be treated preferentially over Americans by the FTC? If European consumers file Privacy Shield complaints in large numbers, would American consumers find the FTC to be less responsive to their privacy and consumer protection needs? In an ideal world, if there were torrents of EU complaints, the FTC would get additional funding to meet all of the new demands. But the FTC doesn’t have many friends in the Congress right now, and more funding is highly unlikely.
European Commission – The European Commission is a winner because it managed to reach agreement on a replacement for Safe Harbor with the US. Whether the Commission will succeed in having that agreement accepted by all relevant parties and courts in the EU remains to be seen, but it is a success for now. However, the Commission’s ability to weave among the different pressures that affect its data protection activities may be further circumscribed. If EU consumers and consumer groups start looking at other international data flows and at the adequacy of other instruments that support data exports, the Commission will have considerably more work to do in the coming years.
Early Conclusions about Privacy Shield
Some form of general solution to the EU-to-US data export problem is still necessary in today’s world. Safe Harbor was the first stopgap response, and Privacy Shield is the second. If companies trying to do the right thing were cut off without enough time to find another solution, it would be disruptive to both business and consumers. The problem is a legitimate one, and there is still a need for accommodation. Neither side is entitled to its own way.
The reality here is that the Safe Harbor had been in place for a long time. The process had broken down in many areas, especially in the area of compliance, enforcement, and consumer redress. Eventually, the privacy chickens came home to roost. We would have been happier if the European Court had thrown out Safe Harbor because of its inherent shortcomings and its lack of compliance. But the EU Court found another basis, and it established a much harder standard to understand and to address.
It is not clear that either the EU Court or the Safe Harbor/Privacy Shield structure is the right place to decide what the US considers to be national security activity. We do not know any more than anyone else what the EU Court will do with the next case.
The inherent difficulty of dealing with the national security issue in this context had some positive consequences for privacy. The Privacy Shield process had no hope of making any substantive changes to US national security activities. Because Privacy Shield had nothing meaningful to offer on national security, it instead addressed the shortcomings of commercial transfers allowed under the Safe Harbor agreement. That was doable whereas national security was beyond reach. Another reason for the strengthening of Privacy Shield is the role played by data protection authorities.
In the end, we would have been happier had the Privacy Shield agreement come with a reasonable sunset. American companies should have been given adequate time – perhaps five or ten years – to find other routes to solve their data export problem. With enough time, companies could solve the problem and the need for a generic solution like Privacy Shield would slowly disappear. As it stands, the one certainty at hand is that there is likely to be a third act in this drama sometime in the future.
Top image courtesy of the European Commission