The highest authorities on data protection from the European Union’s 28 member nations issued a statement on Oct. 16 declaring that unless the U.S. National Security Agency modifies its surveillance procedures by the end of January, they may launch a coordinated enforcement campaign against U.S. companies that have privacy protections they deem inadequate. Moreover, they added, any member state has their support to immediately initiate similar enforcement actions on its own accord.
If the U.S. stays the course on its surveillance program, will Europe follow through on its enforcement plan? This will be the main topic of conversation this week as data-privacy commissioners from around the world gather in Amsterdam.
Here are five scenarios I see unfolding in the coming months.
1. Europe won’t shut down transatlantic commerce over privacy.
Europe deeply values privacy, but it also needs jobs and loves American technology. If Europe’s data-protection authorities (DPA) start preventing data transfers of U.S. companies, the U.S. firms could decide to pack up and go home. With unemployment holding at 11% across the eurozone, any ruling party seen as causing more job loss will take a hit in the polls.
Two other indicators support this prediction: history and game theory.
- History: The 1998 showdown. We’ve been down this path before. When the EU passed its Directive on Data Protection in 1995, it said it would begin enforcing its crossborder data flow restriction in 1998. Foreseeing an impossible impasse, the European Commission in 1997 began negotiations with the U.S. Department of Commerce and by 2000 had concluded the Safe Harbor Agreement. Facing a shutdown of transatlantic trade, both sides found a compromise.
- Game theory. Nobel Prize winner John Nash, who’s better known than most mathematicians thanks to the movie A Beautiful Mind, gave us “game theory” tools to predict the outcome of showdowns. When you array the different possible outcomes of the Safe Harbor endgame into a standard game-theory table, the “Nash equilibrium” — see Diagram 1 — is the scenario where the EU imposes a few headline-grabbing fines but avoids an all-out shutdown of data flows.
2. The EU will focus its fines on U.S. tech companies.
The limited fines the EU DPAs will undertake after its deadline passes in January will focus on the iconic companies of Silicon Valley and the Pacific Northwest. Why? Four reasons: history, the Snowden revelations, momentum and perceived ability to pay.
- History: The 1980 showdown. The U.S. and Europe faced a similar situation on privacy in Paris from 1978 to 1980 at the Organisation for Economic Co-operation and Development (OECD) negotiations on the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. According to Australia’s chair of the talks, Europe called for the negotiations because of its concern over growing U.S. dominance in the new industry of information technology. They were purportedly worried that the U.S. would structure the Information Age without regard for European privacy rights, but also that Europe could be left behind economically. That antipathy toward the U.S. tech sector has since only increased.
- Snowden revelations. Some of the files Edward Snowden released depict surveillance activities of iconic U.S. tech companies. Because the decision of the European Court of Justice (ECJ) invalidating the Safe Harbor cited U.S. surveillance activities as of 2013 as the main sticking point, those companies could be top of mind for the DPAs.
- Momentum. Several EU regulators are already investigating some of these same American companies.
- Ability to pay. The combined fining capacity of the 28 EU DPAs would be just a blip on the cash radar screens of the largest Silicon Valley companies.
3. Europe won’t invalidate the Safe Harbor alternatives.
Observers have noted that the rationale of the ECJ’s decision invalidating the Safe Harbor could also be extended to so-called model contracts and binding corporate rules (BCR). Model contracts are intercompany agreements committing the U.S. importer of European personal data to Safe Harbor-like requirements. BCRs are a company’s privacy program approved by European DPAs in a way that binds the corporation’s board to enforce them.
Why won't Europe cancel model contracts?
- Not in the DPAs’ interest. European DPAs are publicly touting the ECJ decision as a victory for EU privacy — but are privately wary of a wave of inbound citizen complaints they would be required to investigate. None has the resources to meet any kind of sustained surge in inbound complaints. Overturning model contracts would do nothing to mitigate this avalanche and might even trigger it.
- Courts proceed case by case. If DPAs dismiss citizen complaints against model-contract situations, the citizens’ next stop is the courts. The courts in turn will review these complaints case by case. The nature of these complaints will be specific to individual companies, and so will the court decisions. They won’t cancel all model contracts en masse.
4. The EU will accelerate approval of its new privacy law.
The EU has passed every predicted deadline for wrapping up negotiations on its General Data Protection Regulation (GDPR). The European Council, European Parliament and European Commission are reconciling their final versions of the law, which some have said has been the most-lobbied piece of legislation in the EU’s 23-year history. In any foreseeable scenario, the final text will create new privacy protections for Europeans’ personal data and give DPAs an unprecedented fining capacity of up to 2% of a company’s global revenues for violating the law.
How does the ECJ decision affect the GDPR endgame? Two ways:
- Privacy hardliners emboldened. The court’s ruling has strengthened the hand of those taking the more restrictive positions of the remaining points of the GDPR debate. This new momentum may be just what is needed to push through consensus on those topics.
- DPAs strengthened. Passage of the GDPR will give DPAs a way to change the public commentary from data transfers to the U.S. to implementing the new law. The GDPR’s passage will also give DPAs an opening to ask for more staff resources from their legislatures, which they will need to handle any wave of new citizen complaints.
5. The focus will shift to EU government surveillance.
Some enterprising U.S. law student in Europe will soon realize she can become famous doing the reverse of what the Austrian grad student did to the Safe Harbor. How? By starting a lawsuit in Europe against a European government, alleging that it is violating her rights through its surveillance using the same rationale laid out in the ECJ decision.
The irony of the ECJ decision is that European personal data stored in the U.S. is probably safer from U.S. surveillance than that same data stored in some European countries. The rationale of the ECJ ruling will be the privacy-rights chicken that comes home to roost.
As a result, Europe will either need to modify its own surveillance procedures — something its intelligence agencies will be reluctant to do during the escalation of conflict near its borders — or shift its attention away from its impasse with the U.S. and toward implementing its new GDPR.
The landmark privacy developments in Europe this fall arrive in an era of accelerating technological innovation. The cloud and mobile revolutions of recent years are yielding to the next big thing — the Internet of Things (IoT). The IoT promises to generate jobs and establish competitive advantage for its early adopters. The new ways of collecting, using and sharing personal data across the IoT, however, will stress the boundaries of the ECJ decision in the years to come.
What should American companies do in the meantime? A few things:
- Don’t panic and make decisions about where to host data based on the current situation. Events are fluid, so hold tight.
- Get model contracts in place, but prepare to demonstrate compliance with their provisions in a much more robust way in order to successfully weather DPA investigations prompted by citizen complaints.
- Prepare for a shorter grace period to implement the GDPR requirements in your European operations, just in case.
And, most importantly, move full-steam ahead bringing your American innovations and can-do attitude to the European market. Our shared future depends on it.
Jay Cline leads the privacy practice at PricewaterhouseCoopers LLP.