Five predictions for the EU-U.S. Safe Harbor showdown
If the U.S. stays the course on its surveillance program, will Europe follow through on its enforcement plan This will be the main topic of conversation this week as data-privacy commissioners from around the world gather in Amsterdam.
Here are five scenarios I see unfolding in the coming months.
1: Europe won’t shut down transatlantic commerce over privacy.
Europe deeply values privacy, but it also needs jobs and loves American technology. If Europe’s data-protection authorities (DPA) start preventing data transfers of U.S. companies, the U.S. firms could decide to pack up and go home. With unemployment holding at 11% across the euro zone, any ruling party seen as causing more job loss will take a hit in the polls.
Two other indicators support this prediction: history and game theory.
2: The EU will focus its fines on U.S. tech companies.
The limited fines the EU DPAs will undertake after its deadline passes in January will focus on the iconic companies of Silicon Valley and the Pacific Northwest. Why Four reasons: history, the Snowden revelations, momentum and perceived ability to pay.
Observers have noted that the rationale of the ECJ’s decision invalidating the Safe Harbor could also be extended to so-called model contracts and binding corporate rules (BCR). Model contracts are intercompany agreements committing the U.S. importer of European personal data to Safe Harbor-like requirements. BCRs are a company’s privacy program approved by European DPAs in a way that binds the corporation’s board to enforce them.
Why won't Europe cancel model contracts
The EU has passed every predicted deadline for wrapping up negotiations on its General Data Protection Regulation (GDPR). The European Council, European Parliament and European Commission are reconciling their final versions of the law, which some have said has been the most-lobbied piece of legislation in the EU’s 23-year-old history. In any foreseeable scenario, the final text will create new privacy protections for Europeans’ personal data and give DPAs an unprecedented fining capacity of up to 2% of a company’s global revenues for violating the law.
How does the ECJ decision affect the GDPR endgame Two ways:
Some enterprising U.S. law student in Europe will soon realize she can become famous doing the reverse of what the Austrian grad student did to the Safe Harbor. How By starting a lawsuit in Europe against a European government alleging it is violating her rights through its surveillance using the same rationale laid out in the ECJ decision.
The irony of the ECJ decision is that European personal data stored in the U.S. is probably safer from U.S. surveillance than that same data stored in some European countries. The rationale of the ECJ ruling will be the privacy-rights chicken that comes home to roost.
As a result, Europe will either need to modify its own surveillance procedures — something its intelligence agencies will be reluctant to do during the escalation of conflict near its borders — or shift its attention away from its impasse with the U.S. and toward implementing its new GDPR.
The landmark privacy developments in Europe this fall arrive in an era of accelerating technological innovation. The cloud and mobile revolutions of recent years are yielding to the next big thing — the Internet of Things (IoT). The IoT promises to generate jobs and establish competitive advantage for its early adopters. The new ways of collecting, using and sharing personal data across the IoT, however, will stress the boundaries of the ECJ decision in the years to come.
What should American companies do in the meantime A few things:
And, most importantly, move full-steam ahead bringing your American innovations and can-do attitude to the European market. Our shared future depends on it.
Jay Cline leads the privacy practice at PricewaterhouseCoopers LLP.