The last few weeks have been tough on US data processors, specifically the tech giants Google and Facebook. The Cambridge Analytica saga has caused a ripple effect where US tech giant’s privacy practices have come under scrutiny. Issues such as Facebook tracking phone calls on Android phones without the users knowledge, saving of draft videos, and further scandal over the third party usage of data have been in the media spot light, and in the background the discussion of transatlantic processing has come to the forefront. As discussed in Part One the US-EU privacy relationship has quite often been projected upon, and broken by Facebook’s practices and reputation.
The Safe Harbor Agreement was initially the US’ way of getting an adequacy decision from the EU to make it easier for US companies to do business with European companies. It allowed companies to self-certify that it would protect data when on US shores, preventing the need to set up individual Model Contract Clauses with each client. In principle it’s a great idea, the EU and the US have a lot of data transfers, and a significant amount of prominent tech companies are based in the US. However, this became the centre of controversy when Max Schrems took Facebook to court and argued that the Safe Harbor Agreement did not give adequate protection to EU citizens. In a David and Goliath moment Yves Bot, the European court of justice’s advocate general agreed with Schrems and Safe Harbor was no more. Far from the easy one-stop-shop tool it was supposed to be, it was now a spot light, shining global news on US privacy practices, adding fuel to the fire of the PRISM and NSA scandal. For nearly a year there was no easy mechanism for transatlantic data processing, with organisations largely unsure of whether they were still allowed to use US companies (as Model Contract Clauses are not particularly well known even now), and shying away from contracts with these companies until the more formal go ahead was given by the EU. Relations with US companies still haven’t recovered, with procurement departments still not sure whether they are allowed to select US companies.
Privacy Shield was born out of the ashes of Safe Harbor 10 months after Safe Harbor was declared invalid, although it took a little longer for US companies to self-certify and for many companies to be on there. There is still a take up issue with many companies disregarding it, currently there are only 2786 organisations signed up, which are a fraction of the organisations who process EU data in the US. This makes procurement department’s reservations about appointing US companies more understandable. Arguably the differences between Safe Harbor and Privacy Shield are subtle at best, and do not solve the issues which lead to the dissolving of Safe Harbor (that European citizen’s data was being used for mass surveillance, and that there was no recourse to enforce privacy rights) in the first place. The differences which did make it through were the insertion of key definitions, mechanisms to ensure the oversight of the Privacy Shield list, and the mandatory external and internal reviews of compliance. The latter of these two in the November 2017 review of Privacy Shield didn’t seem to be working as safeguards particularly well. The last review, which was November 2017, before the Cambridge Analytic/Facebook debacle was lukewarm at best calling for “an increased oversight and supervision of compliance with the Principles of the Privacy Shield through namely, ex-officio investigations and continuous monitoring of certified companies” and was no less critical of the public authority side as security apparatus are still processing EU citizen data for mass surveillance purposes. Both privacy campaigners and certain EU officials aren’t placated by the safeguards put in by Privacy Shield, and this latest development could kill or strengthen it.
Considering the issues the US are having with their privacy reputation it does need to be asserted that there are no blacklisted countries, companies can still do business with any other business in any country as long as there are appropriate safeguards in place– however the US is currently the most difficult country to do business with privacy wise. This is bad news for all US businesses, but especially the tech giants who will be missing out on the large EU market. The US can either change their privacy laws ala Canada and gain an adequacy decision, continue with Privacy Shield and try and get it more widely adopted by US companies – making transfers and contract negotiations more smooth, or Privacy Shield could be quashed and replaced with something slightly more robust (… and hopefully something slightly more compulsory).
There have already been some immediate consequences of the focus on US privacy. The CEO of Cambridge Analytica has been suspended, there are calls for Zuckerberg’s resignation, and the EU have reiterated that they are unhappy with US privacy practices. There are also signs that it will have a positive effect, Facebook are wanting to roll GDPR-esque compliance out worldwide (although only ‘in spirit’), it has brought attention to the fact that GDPR applies to all EU citizens and residents even if you are processing it in the US, and hopefully it is a wake-up call to tech giants and other organisations that people take their privacy seriously. The previous cold start ‘wait and see’ approach to GDPR implementation and working towards good privacy practice in general may just be heating up.