The EU and US often have different views regarding legal frameworks. The EU generally prefers more granular control, whereas the US is more laissez faire. To regulate cybersecurity and privacy protection for data, the EU uses a comprehensive model, where one law applies to government and all businesses. The US uses the sectoral model, enforcing different laws for government and different sectors. Each can work well within its jurisdiction, but the Internet is global. Data goes everywhere. Laws stop at borders.
How do you reconcile the two systems?
The first European data law, promulgated in 1995, was the Data Protection Directive (DPD). To bridge the differences, the EU and US negotiated the Safe Harbor agreement. It came into effect in 2000 and allowed data about EU and US residents to flow unhindered across the Atlantic. It was very successful until October 2015, when the European Court of Justice (ECJ) heard a case that questioned the US attitude toward protecting EU residents’ privacy. The ECJ determined Safe Harbor was lacking and threw it out. Considering the large amount of data that flows back and forth between the EU and US, the end of Safe Harbor was a major problem.
The US and EU reacted promptly and negotiated a new agreement within four months. The EU-US Privacy Shield Program
was signed in February 2016, but it did not take long until questions arose. By May 2016, the European data protection supervisor stated that “the Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the [European] Court.”
Despite this strong condemnation, the EU Commission went ahead and in July 2016 decided that the Privacy Shield was adequate to protect EU residents’ rights (adequacy decision). The Privacy Shield had become official.
The program allowed US companies to comply with not only the old DPD but also the new General Data Protection Regulation (GDPR). For US companies it seemed that all their GDPR compliance problems were solved. They did not need to worry about giving data subjects any privacy rights as large fines were not a problem. All they had to do was sign up to the program with the US Department of Commerce (DoC) and self-certify. The program would be enforced by the leading federal privacy enforcement agency, the Federal Trade Commission (FTC). This certification would allow companies to transfer data out of the EU without violating the provisions of Chapter V of the GDPR, which concerns requirements for transfers from the EU to third countries – a get out of the Regulation free card. So far about 1,800 companies have signed up – far fewer than the 4,000 that certified under Safe Harbor.
Understandably, many companies are cautious about certifying to the Privacy Shield, which may have done nothing more than provide a false sense of security. The European data protection supervisor is already facing legal challenges. In 2016, two advocacy groups – one Irish (Digital Rights Ireland), the other French (La Quadrature du Net) – filed cases in the EU General Court, the lower court of the Court of Justice of the European Union. They want the European Commission’s adequacy decision allowing transfer of data under the Privacy Shield to be overturned.
It may take some time for these cases to move through the courts, and their outcomes might be unresolved. The European Parliament is now involved.
Europeans are focusing on four areas:
- Access to EU resident data by US authorities
- Possibility of collecting bulk data
- The US ombudsperson
- Cost and complexity of the redress mechanism
The first and second problems are the real sticking points. The Europeans believe that US security agencies’ insatiable appetite for information impinges on basic rights. In contrast, the US security agencies, notably the NSA, feel that access to everyone’s data is an absolute necessity to ensure national security. President Trump has made it exceptionally clear on many occasions that he completely supports US security agencies.
Learn how US laws differ from the EU GDPR and why LIBE Committee Chairman Moraes is not satisfied, in Part 2 of this post.
Sign up to receive our newsletter and get the latest news delivered to your inbox.