Concerns about the viability of the Privacy Shield, which regulates the access of American companies to data collected in the European Union, have been rising since the inauguration of the Trump administration. The scenario is likely to become more complicated with the implementation of the GDPR. American companies operating in this space need to put in place solid policies and procedures.
As I write, the Privacy Shield – the contested US-EU agreement that allows the flow of data between data-driven companies on the two sides of the Atlantic – is under review. This agreement establishes minimal safeguards for the use by American companies of personal data collected in the European Union, whether this data is harvested through e-commerce, social media, cloud storage services or other means.
The Privacy Shield upholds certain principles, such as that the data cannot be used for purposes other than the ones it has been collected for and that cannot be transferred to another company without the owner’s authorization. Companies sign up to the framework with the US Government who then monitors whether they honour their commitment to provide guarantees and transparency to the data owner, the user or customer. Most companies in the programmatic space that operate at transatlantic level are subscribers, so far some 2000 of them. A government agency is tasked with investigating breaches and follow up complaints.
It all sounds simple.
Only it isn’t.
Even less so in the age of Trump.
The origins of the Privacy Shield, and its predecessor Safe Harbor, lie into the different regimes of data protection existing on the two sides of the Atlantic. It’s not only about legislation (patchy in the US, structured in the EU) but it is a veritable cultural difference in the way business and the public view data privacy. For instance, most of the hair raising stories documented in Cathy O’Neil’s Weapons of Math Destruction (2016) about the pernicious use of personal and behavioural data could not have happened in Europe, at least so far. This divide is only to increase with the impending implementation of the GDPR, which puzzles and innervates American business. From a European perspective, corporate snooping and government surveillance of Non-US data pose a serious danger for the privacy of European citizens.
These concerns have only been intensified by the Trump administration’s cynical views about the rights of non-US citizens, as enacted, for instance, in the border searches of social media accounts. One of the first executive orders of the new President last January was to strip foreigners of the protection of American privacy legislation, causing widespread alarm on whether this act had invalidated the Privacy Shield. It did not, but it reinforced the idea that data privacy, especially of non-American nationals, is precariously placed under Trump.
The belligerent WP29, the data protection working party of the European Commission, is descending on the US this summer to understand exactly how American companies are complying with the data protection obligation to which they have subscribed, looking in particular to companies that are processors of data. WP29 has advocated a stringent review of the Privacy Shield (already considered too lax) by the European Commission, one that does not rely on vague assurances or on a tick-box exercise. In the wake of Snowden, law enforcement’s use of data raises similar concerns.
While the Trump administration has reassured European Commissioners about its commitment to the Privacy Shield, the Review and the GDPR (which defines as personal data anything that can identify a person directly or indirectly) will open new scenarios. The preservation of transatlantic data flows underpins a $300 billion business, something recognised by the administration, but Trump’s erratic orders have raised alarm bells on whether the commitment to the Privacy Shield is in fact dwindling. While this challenging Review is under way, data-driven American companies will need solid advice and expertise on how to navigate this uncertain, fast-changing political period and make their operations robust in terms of handling personal data of European provenience. The future, or fate, of the Privacy Shield is in the hands not only of the Trump administration but of the thousands of companies the commit to abide by its principles.