We Europeans feel that we have the strongest data protection for our citizens in the world. Consequently, when the data of EU citizens is transferred outside of the EU, this may only be done to countries with a level of data protection that is more or less equivalent to that of the EU. Data flows to the USA are of particular interest in this regard. Most of our personal data flows to the USA for the simple reason that most of the gadgets and online services we use are from the USA. Europe feels that the USA has very poor data protection, not just for its own citizens but in particular for non-US citizens who do not enjoy constitutional privacy protection under the 4th Amendment. And if the Snowden revelations are anything to go by, there definitely seems to be some merit to this argument.
Up until the European Court of Justice verdict in the Schrems v. Facebook case, data could be transferred freely to the US under the Safe Harbour Agreement. The Safe Harbour mechanism was a self-regulatory scheme whereby US companies voluntarily agreed to uphold an equivalent level of data protection to that of the EU. The ECJ struck down the Safe Harbour agreement, basically because the US government has too far reaching access to data stored with US companies.
Without the Safe Harbour Agreement, other mechanisms for data export need to be used. Through so call Standard Contractual Clauses or Binding Corporate Rules, it is still possible to export data to the USA. However these mechanisms are also being challenged in court, by the same Mr. Schrems. Given that these mechanisms have the same flaws as the Safe Harbour, it is likely that the ECJ will also strike down these options. Another mechanism is simply asking data subjects for their permission. As it stands, this is still the most viable option. But some of the more activistic data protection authorities have already stated that they will not accept consent as a data transfer mechanism. The argument being that we as citizens cannot consent to something that will undermine our privacy.
So where does that leave us? Well, if all options are exhausted there are two possible ways forward: Apple, Facebook, Google, Twitter, Uber, WhatsApp, Amazon, Microsoft and all those other companies that enable our modern lifestyle will have to host their services and data locally in the EU. The other option is somewhat grimmer: our iPhones and laptops will have to stop sending data to the US, which means that they will stop working.
Neither option is really desirable, so therefore the EU is frantically negotiating a new Safe Harbour deal with the US called ‘the Privacy Shield’. But as it stands the deal is not yet up to a standard acceptable to privacy critics like Schrems and likely also not up to the standards of the ECJ. Meanwhile time is running out.
Do you think the big iPhone blackout will come, or will there be a last minute deal?