Hello Privacy Shield, So Long Safe Harbor

(Note: this piece was written with much input from Eve Maler)

Reactions to the news out of Brussels earlier this week on the EU-US Safe Harbor negotiations were somewhat… polarized. In the “Love It!” camp were US negotiators and the Computer & Communications Industry Association, the main lobbying organ for Internet giants like Google, Facebook and Microsoft, which are all eager to get an agreement similar to Safe Harbor back in place. On the seething, enraged “Hate This! - We’ll See You In Court!” side were data privacy advocates like Max Schrems, the Austrian legal scholar who pursued the case that resulted in the overthrow of Safe Harbor late last year.

So, what was news exactly? Officially, the EU announced a new framework that will “protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.” With the name the EU-US Privacy Shield, the agreement at first glance appeared to be a resolution to the contentious international wrangling around personal privacy and the transfer of data between Europe and the US. But digging down, it’s apparent this was more of a “we’re announcing that we’ve agreed to agree on something, but we’re still working out the details.” Hence the heavy reliance on the word “framework” – which shows up eight times in the one-page press release.

It’s clear that the heavy lifting of working out exact provisions remains, and it’s possible that an agreement acceptable to both sides is still possible. But in the meantime, the reception to the announcement among data privacy activists inside and outside government was swift and negative. Jan Philipp Albrecht, member of the European Parliament, dismissed Privacy Shield as the same old same old: “This new framework amounts to little more than a reheated serving of the pre-existing Safe Harbor decision. The EU Commission's proposal is an affront to the European Court of Justice, which deemed Safe Harbor illegal, as well as to citizens across Europe, whose rights are undermined by the decision.”

Schrems was all over Twitter and conducted multiple media interviews to lodge his distaste for Privacy Shield, predicting that if the final agreement looked anything like what was announced that the whole matter would end up back in court: “If this case goes back to the ECJ – which it very likely will do, if there is a new safe harbor that does not meet the test of the court – then it will fail again.”


What does this all mean for organizations with customers in Europe? Our take is that this debate is likely to continue for the foreseeable future. US interests obviously want to get back to the status quo, and EU negotiators seem willing to compromise, but privacy advocates are drawing a hard line, and they have a sympathetic ear at the ECJ. Remember that this entire argument arose through the Snowden disclosures that the US government was carrying out blanket surveillance on data traffic coming into US data centers. If the ultimate agreement doesn’t satisfy the privacy hardliners, we could be looking at months more of uncertainty. After all, the side that has previously lost the world's trust will have to do some work to regain it, since proving a negative – that surveillance isn't happening – is difficult.

In the press release we put out last week, our Eve Maler pointed toward a data privacy future built on individual consent as a way for enterprises to get out in front of, or even rise above, these ongoing debates: “Organizations looking to design personalized digital services that also respect an individual’s right to control access to their data will find that we have addressed that concern and can offer our customers a competitive advantage. Further, by designing services that offer this transparency and respect, organizations are also better able to address the implications of the emerging regulatory landscape.”

This kind of “go above and beyond” approach to data privacy is gaining traction from many quarters. Accenture put out a trend report recently that put it this way:

“To gain the trust of individuals, ecosystems, and regulators in the digital economy, businesses must possess strong security and ethics at each stage of the customer journey. And new products and services must be ethical- and secure by-design. Businesses that get this right will enjoy such high levels of trust that their customers will look to them as guides for the digital future.” (emphasis mine)

Sounds like good advice.