Yesterday, after two years of dispute and contention, the European Commission and the US Department of Commerce announced progress on the Privacy Shield scheme – the successor to the Safe Harbor scheme – thereby paving a way forward for legally accountable transatlantic data exchanges. Tricky, ongoing, and politically-charged issues of personal privacy, data protection, and trust in the digital economy finally have a resolution.
If only it were as simple as that.
The Privacy Shield announcement, the issues underlying it, and the drama preceding it affect you if you move data from Europe to America. Likewise, if you are in America using European data for your product, web site, app, or service, you need to know about this too.
There is no tl;dr for this particular issue, however, I have done my best to explain it in the plainest English possible.
Let’s start with the strangest technical term you’ll hear today: “adequacy”.
What is “adequacy”?
To understand why the Safe Harbor/Privacy Shield debacle has been such a massive issue, you first have to understand the EU Data Protection Directive, the regulation covering all personal data across Europe regardless of sector or role. It has been implemented into the laws of all EU member states through their own national legislation.
The Directive has eight principles which must be followed by anyone handling personal data across Europe. The eighth principle deals with transfers of data out of the EU to non-EU countries:
Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
In other words, if doing business with the EU means that you handle European personal data, you must have a legally accountable standard in place to ensure that the European data you are using is protected as if it was still in Europe. This can take the form of legislation, industry self-regulation, or intra-company guidelines.
This concept is called adequacy.
The existing Data Protection Directive dates from 1995 (!) and is being replaced on 25 May 2018 by a new modernised regime, the General Data Protection Regulation (GDPR). Adequacy will remain a key principle under GDPR, which includes many more safeguards and expectations than its predecessor.
Anyone doing business with Europe needs to be in full compliance with the 1995 regime until 2018, and with GDPR after that.
What was Safe Harbor?
The nature of the tech industry means that the United States has always been the biggest user of European data, whether that consists of personal files, social media accounts, cloud backups, or customer records. The US’s lack of a universal data protection regulation – indeed, its occasional bafflement over Europe’s upholding of privacy as a fundamental human right – meant that much of the entire concept of data protection adequacy, in practice, meant dealing with the US.
From 2000 to 2015 the US Department of Commerce administered a programme called Safe Harbor. This provided a standardised framework to help US companies to adhere to the eighth data protection principle. In short, Safe Harbor meant adequacy.
In tune with the American cultural tradition of self-regulation, the Safe Harbor programme provided that adequacy through self-certification. European customers were able to verify that an American company participated in the programme by checking a dedicated portal on the Department of Commerce web site.
Why wasn’t Safe Harbor adequate anymore?
As with so many digital laws and policies, what worked on paper did not work for long in practice. The data protection needs of 2000 – rules conceived mostly to deal with small, manual, occasional intracompany transfers – held little relevance to the background data beaming from all of your gadgets to America in 2015. In recent years, many people – myself personally included – would have told you that Safe Harbor was barely worth the paper it was printed on.
That was before we heard of a bloke called Edward Snowden.
If the Safe Harbor programme was already working on shaky ground, the Snowden revelations derailed it entirely. Europeans could no longer trust that their data was safe in the US in light of mass state surveillance and data retention. American companies, understandably, saw little point in continuing to adhere to the Safe Harbor framework in light of those surveillance revelations; after all, they were victims of it too.
Epic drama ensued, which we won’t get into, but it involved a lot of shouting, grandstanding, and courtrooms.
One of those courtroom battles led to the EU Court of Justice issuing a ruling (pdf), in October 2015, that the Safe Harbor programme was indeed a load of rubbish. From that moment, Safe Harbor no longer achieved adequacy, and by extension, neither did any company using it.
Europe’s point was made, and not before time.
That point, however, left the 4,000-odd US companies who used Safe Harbor with no legally accountable framework to achieve adequacy. And it left European consumers with no guarantee of data protection.
More epic drama ensued.
(Larger multinationals, as always, had all the money and lawyers they needed to duct-tape together an adequacy mechanism as an interim solution. The rest of us were, and indeed still are, stuck in legal limbo.)
Privacy Shield is the new Safe Harbor
In February of this year the EC and the US Department of Commerce came up with a replacement for the Safe Harbor scheme called Privacy Shield.
(Yes, I know it sounds like a sanitary product. Just deal with it.)
Privacy Shield was announced, with great fanfare, as a solution that would patch over the holes in the Safe Harbor programme. It was, however, immediately slapped down by the Article 29 Working Party.
Who are they? The Article 29 group is the EU’s independent privacy watchdog committee. Their opinions are non-binding, but hugely powerful. Think Jules and Vincent driving around discussing “royale with cheese”.
(I may be exaggerating somewhat. You try studying this stuff for a living and see what it does to you.)
Anyway: from February until this month the Privacy Shield plans were swatted back and forth between the European Commission, the Article 29 Working Party, and various committees. In the meanwhile, civil society and digital rights groups came out strongly against the plans, asserting that they fail to address the heart of the matter.
They’re not all wrong. The main point of contention is the same as before: mass and indiscriminate bulk collection of personal data by the US state security apparatus. If the US – and the UK, for that matter – continue to use national security loopholes to slurp everything up (as they do), because of “terrorism” and “law enforcement” and other authoritarian excuses, the most rigid framework possible offers no protection at all.
Every company left in limbo by the Safe Harbor annulment knows that perfectly well, but each passing month that they have been made to wait for a legally accountable framework for their everyday business operations has worn their patience ever thinner.
Habemus Privacy Shield
On 12 July, following approval from all but four abstaining member states, the EC and the US Department of Commerce announced the formal adoption of Privacy Shield.
You can read all of the extensive and exhausting detail in the press release here. That page also contains links to background documents.
As part of the announcement, the US Department of Commerce said they will begin accepting self-certifications to the Privacy Shield scheme from 1 August. They have already published compliance information here (pdf) for US companies to follow. In other words, the new regime starts up on 1 August.
And that should be it really – normal service will resume as of three weeks from now.
…uh, maybe not
Not so fast: on 25 July the Article 29 Working Party will meet to discuss the latest iteration of the Privacy Shield scheme. Their opinion, as always, is non-binding but massive. They had grave reservations about the last iteration (pdf), and their verdict on the new one may well send it back to the drawing board yet again.
Even if Privacy Shield does meet with their approval, it is far from safe. Digital rights and civil society groups are up in arms over today’s announcement (see, for example: “Privacy Sham”, “New Shield, Old Problems”, and of course, Schrems) and are already preparing litigation.
In other words, more drama is ahead.
Because that’s exactly what we need right now in the web profession. More international drama.
What should you do?
My recommendation for you would be to prepare for compliance along yesterday’s published Privacy Shield guidelines. Even if the programme is delayed or altered, you will at least be working to the minimum compliance levels for your own business. You are not responsible for the NSA.
You should also ensure you are in full compliance with the existing EU data protection principles, and begin brushing up on GDPR as well (pdf). Compliance with both the old and new regimes should be viewed as a series of continuing business processes, not a checklist list of one-off tasks.
Privacy by default – not by design, by default – is a key component of GDPR, and a cynic would say that early compliance gives the security apparatus less data to inspect.
Postscript: what about Brexit?
The Privacy Shield debacle – negotiations, lawsuits, and all – has offered a sneak preview of what is likely to happen if and when the UK leaves the EU. Like the US, Britain will need to establish a data protection regime good enough to achieve adequacy with the EC, the Article 29 Working Party, and Europe’s assorted data protection agencies. For all intents and purposes, this process will be Privacy Shield II.
Now here’s the difference: Britain would be engaging in this process under the leadership of one of the most anti-privacy, surveillance-hungry politicians ever to rise to power during peacetime. An authoritarian whose mass surveillance and bulk data retention policies have been called a “machiavellian masterpiece” is not likely to have a healthy respect for the European concepts of digital rights and online privacy in a post-EU Britain.
Based on her previous approach to data protection, the new Prime Minister’s leadership throughout the deregulation process is likely to take one of two forms. The first scenario is that her Conservatives – a party hellbent on privatising all the things – invites the tech giants who have the most money riding on international data transfers to remake the nation’s laws in their own image. She might even extend this offer as a sweetener to offset the financial costs that these same tech giants must incur to comply with her mass data retention policies.
The second scenario is much simpler: what Theresa wants, Theresa gets.
Now let’s throw in the added variable of timing. Privacy Shield’s adequacy has been future-proofed to the standards which will be required when GDPR takes over in 2018. 2018 is, of course, the year that we may leave the European Union. Would a transitional and spiteful UK bother complying with a data protection regime taking effect at the exact time it wants to leave, or would it do a bare-bones adequacy closer to the 1995 standard and kick real progress on data protection into the long grass?
In the end, it will come down to whose money Downing Street values more: Europe’s or America’s. Whatever scenario ensues, only one thing is for sure: your business, your work, and your data are about to be caught up in an international soap opera that will make the Safe Harbor/Privacy Shield debacle look like a warm-up.
Last thought from the dear green place
There’s one final thought which must be expressed from this Glasgow coffeehouse. Data protection, in the legislative sense, is a reserved matter. The devolved administrations in Belfast, Edinburgh, and Cardiff cannot legislate derogations or additional requirements for their own nations.
Scotland’s uncertain future in post-EU Britain may change that.
If a post-EU Britain takes a dismissive approach to GDPR adequacy, have no doubt that a pro-EU Scotland would achieve full adequacy as soon as possible in order to tempt tech businesses north of the border. An independent Edinburgh, as has been suggested, would be more than happy to use GDPR adequacy to attract inward investment from savvy multinationals fleeing the uncertainty of London.
Play this game carefully, Prime Minister. We know how to play it too.