With the data-sharing framework Privacy Shield now almost three years old and the EU’s GDPR rules in full effect, here’s a look at how the issue of personal privacy is treated differently in the EU and the US and how Privacy Shield addresses it. Originally posted on Spiceworks.
When President Donald Trump signed an Executive Order to strip away privacy rights from non-US citizens in 2017, experts voiced concern that the order might jeopardize the six-month-old Privacy Shield data-sharing agreement between the EU and the US.
Before we go any further, let’s highlight a keyword: This order might jeopardize Privacy Shield. Already, there are EU politicians saying the order is irrelevant because of careful provisions made within the data-sharing agreement. And since Privacy Shield is the successor to Safe Harbor, a data-sharing agreement forged in the late ’90s, EU member states have been highly attuned to data privacy practices in the US.
In order to understand why Safe Harbor was struck out and Privacy Shield was adopted, we have to understand how privacy is treated differently between the two trading blocs. And in order to understand what Safe Harbor and Privacy Shield are, we have to understand the laws guarding individual privacy in the US and the EU.
Why this matters
It’s important to zoom out here: Before the rise of the internet, none of this privacy law stuff really mattered in US-EU relations. A German family in the 1980s wasn’t keeping their family photos in a computer in California — they likely kept them in a photo album stashed somewhere in their living room.
Likewise, a French family didn’t have to worry that their medical and financial records might be sitting somewhere across the Atlantic Ocean. Because come on — that’d just be ridiculous.
That all changed with the rise of the internet. Nowadays, a Estonian teenager using an iPhone could have plenty of personal data sitting on a server somewhere in the US and be none the wiser. For that matter, a German adult with a Fitbit could have lots of health data sitting on a server somewhere in California. The examples go on and on — just consider how websites track you for advertising purposes and it gets more and more complex.
But since the rise of the telegraph, communication lines have connected Europe and the US and digital data has flowed across the Atlantic Ocean. “The United States and the EU remain each other’s largest trade and investment partners,” says the Congressional Research Service. “In 2013, total U.S.-EU trade in goods and services amounted to $1 trillion and U.S. FDI in EU totaled $2.4 trillion (or about 56%) of total U.S. direct investment abroad.”
The bottom line: Stop that flow of data between the EU and the US and you’ve just cut out trillions of dollars of economic activity. And no one wants to do that.
Data Privacy in the US
When it comes to privacy in the US, there is no “single, overarching data privacy and protection framework.” Instead, there are a slew of laws at the state and federal levels that protect individual privacy in distinct industries.
One example is HIPAA (Health Insurance Portability and Accountability Act of 1996), which protects individual medical information at the federal level. HIPAA is one of many industry-specific regulations that “vary by sector, with different laws governing the collection and disclosure of financial data, […] student information, and motor vehicle records,” according to the Congressional Research Service [PDF].
But the two biggest laws in the US are the US Privacy Act of 1974 and the Electronic Communications Privacy Act of 1986. Taken together, the two laws require the US government to gain the consent of an individual before disclosing information about them and “prevent unauthorized government access to private electronic communications.”
There have been a few revisions to these laws — the Patriot Act, for instance — but the two laws outline, in broad strokes, how the US approaches data privacy on a case-by-case basis: specific aspects of individual privacy are governed, but there is no explicit Constitutional law that makes privacy a right. Instead, privacy is treated as an implicit right.
Data Privacy in the EU
But in Europe, it’s just the opposite: privacy is an explicit right of all EU citizens. This is in no small part due to Europe’s history, which most recently has been marked by totalitarianism and fascism in the 20th century. Privacy isn’t something that’s protected on a case-by-case basis in Europe (as with medical records in the United States), but something that is a human right of all citizens and is enshrined the European Convention on Human Rights.
In 1980, EU member states expanded upon what this right to privacy entailed with seven basic principles:
- Notice must be given when data is being collected
- Individuals should know the purpose behind the collection
- Consent must be given before data is collected
- Security of the data must be ensured
- Companies must disclose who is collecting data
- Citizens must have access to any data about them
- And all companies who possess private data are accountable in the case of a security breach or misuse of private data
Here’s the thing, though: These principles aren’t law. They’re just helpful guidelines for EU member states. Despite that, they offer helpful context for every law and data sharing agreement that the EU has signed off on since the early 1980s.
And the biggest law that protects data privacy in the EU is the Data Protection Directive (DPD) of 1995, which is the spiritual successor of the principles outlined above.
In broad strokes, these directives demanded that any personal data of EU citizens held outside of the EU be given the same protection as data held in the EU. It also ruled that individuals had the right to “access their personal information and the right to correct errors, but also the right to seek remedial measures and compensation, if necessary.”
Safe Harbor’s rise and downfall
But when the EU signed off on DPD in 1995, officials on both sides of the Atlantic got nervous. Suddenly Europe had a sweeping set of protections for personal privacy that were at odds with their US counterparts. And with the rise of the internet in the 1990s, personal data was starting to travel out of Europe and into the US in bigger quantities.
The result was Safe Harbor, a data sharing agreement negotiated in the late 1990s and signed off on in 2000 by the US Department of Commerce. In simple terms, Safe Harbor allowed US companies to “self-certify annually to the Department of Commerce that it had complied with the seven basic principles and related requirements that have been deemed to meet the data privacy adequacy standard of the EU.”
If the number seven sounds familiar, that’s because it is: These seven basic principles were taken — and in some cases paraphrased — from the guidelines laid out by the EU in 1981.
Despite the occasional protests about — and criticisms of — Safe Harbor, it stood firm for the next 13 years, allowing US and EU tech companies to flourish. That all changed in June 2013 when the US-national National Security Agency (NSA) contractor Edward Snowden released a cache of unauthorized documents that detailed US surveillance efforts that violated EU privacy laws.
To put it nicely, people got angry on both sides of the Atlantic. But with news that the US had allegedly spied on figures like Germany’s Chancellor Angela Merkel, European politicians and citizens got pretty ticked off. And suddenly a big question cropped up: Just how safe was all that European data that private US companies had their hands on?
By October 2015, the Court of Justice of the European Union (CJEU) ruled the Safe Harbor agreement invalid. The ruling stemmed from a court case brought by the Austrian citizen Maximillian Schrems, who went after Facebook once he found his personal data had been transferred from servers in the EU and back into the US. The biggest takeaway from the ruling: The US weighted its national security interests over Safe Harbor.
The rise of Privacy Shield
Even before the EU struck down Safe Harbor, US and EU officials had begun meeting to revise and modernize the agreement. Some had even called for the EU to suspend Safe Harbor in 2013. But officials had steadfastly refused, citing the tremendous economic harm such a move could bring. So when the EU did finally strike down Safe Harbor in 2015, officials set to work attempting to replace it as fast as possible with an alternative to prevent any economic fallout.
The result was Privacy Shield, which the US and the EU approved in July 2016. “The new framework is substantially longer and more detailed than Safe Harbor,” the Congressional Research Service says. “The Privacy Shield principles entail seven distinct categories: notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability.”
In short, Privacy Shield is a souped up version of Safe Harbor with many of the same provisions. The major difference: Privacy Shield allows the EU to take the US — and any companies — to court over infringements on the agreement. Privacy Shield also includes a slew of signed commitments from US security and government officials.
What this all means for the future
But even though it’s settled law at the moment, Privacy Shield still has critics in the EU. Most notably, the Article 29 Data Protection Working Party has delivered an opinion saying that despite its improvements on Safe Harbor, Privacy Shield still doesn’t properly address the deletion of data, retention period, or collection of it. Likewise, the European Data Protection Supervisor said that “Privacy Shield, as is stands, is not robust enough to withstand future legal scrutiny before the [European] Court.”
For one, expect more changes to Privacy Shield over the next few years, but expect them to come slowly. Officials in the EU and the US have historically been scared to mess with things that have trillions of dollars riding on them. That, at least, helps explain why it took a PR disaster like the Snowden revelations and an EU invalidating Safe Harbor to get officials to create Privacy Shield.
But no matter what agreements are made, the underlying issue remains: In Europe, data privacy is an explicit right protected by specific legislation; in the US, data privacy is an implicit right that can be superseded by law enforcement and national security interests.
TL;DR: In Europe, data privacy is an explicit right protected by specific legislation; in the US, data privacy is an implicit right that can be superseded by law enforcement and national security interests.
This has led to problems between the two trading blocs when it comes to sharing data. But stop this flow of data and you stop trillions of dollars in annual economic activity. The result: complex data-sharing agreements like Safe Harbor and Privacy Shield.
Aaron Winston lives in Austin, TX and has written about technology, history, e-commerce and more. Currently, he works as a Content Strategist for the flexible workspace company Hana.