14 June, 2016
The world is getting an insight into the troubling and messy future of legal certainty in data protection law with the current international negotiations. Much political pressure is applied in the case of the Privacy Shield, for example, which is a temporary policy initiative to replace the recently struck down Safe Harbour that enabled lawful transfers of European citizen’s personal data to a handful of suitable countries. Global approaches to data protection are in flux and stark social differences, as well as corporate and political interests, are making compromise increasingly unlikely.
The European Commission announced an agreement with the US Government on the Privacy Shield likely before an actual agreement was reached. The final text was published about a month after this announcement, possibly also to avoid public scrutiny in the media or under pressure from US negotiators to give them more leverage in the final details. The agreement was swiftly denounced on similar grounds by three important political and regulatory bodies. The advisory group of European privacy regulators (Article 29 Working Party) stated that new policy initiatives in data protection must be “viewed in the current international context, such as the emergence of big data and the growing security needs” (pdf). Among other things, the European Parliament questions whether the US ombudsman for EU citizen’s rights would be “sufficiently independent” and powerful to “effectively exercise and enforce its duty.” Finally, the European Data Protection Supervisor states clearly (pdf) that the Privacy Shield would not withstand legal scrutiny of the General Data Protection Directive, which will enter into force in 2018. Currently, a group of diplomats from EU countries have joined in the so-called Article 31 Committee which has veto power over the final Privacy Shield agreement, but has also postponed their decision for the time being.
The European Commission, embarrassed about the failure of the Safe Harbour provision, seems to have caved to US pressure in negotiation, while other bodies are weary of giving up the European hardline approach to privacy. A series of academic papers exist that have researched policy option to reconcile the US and EU approaches to privacy and data protection, but these seem to have been ignored by policy makers. For example, Schwartz and Solove develop a new legal category for personal data and its American equivalent that bridges cross-Atlantic concerns. Paula Kift argues that advancing consumer’s freedom of choice about data practices and meaningful political participation (rather than secretive surveillance) could resolve some issues. Lee Bygrave even goes as far as suggesting that the US-EU negotiations will be overshadowed by increasingly relevant jurisdictions such as China who will set the tone for international data protection negotiations.
Developments in Asia appear to be more promising for a harmonised global approach based on European standards. Several Asian countries have used the Data Protection Directive as a baseline for their national policies, but strong differences persist. Some Latin and South American countries appear to be moving into the direction of a more sector specific approach, possibly influenced by the US model. Once these countries have developed their technological bases and wish to protect their own interests equally rigorously, the current differences between the EU and the US are likely to be a drop in the ocean compared to the international data protection tussles of the future.
Academic Liaison at Princeton University
Privacy officers, privacy managers, compliance officers, risk managers, information security,...