"It's the economy, stupid" has long been part of the American lexicon as a euphemism for boiling a broad, complicated topic down to a foundational element or principle. In advising Bill Clinton in 1992 on strategy against incumbent President H.W. Bush, campaign manager James Carville was famously talking about economy as the issue at the heart of the election. So, to make use of the device, if you want to emphasize a central element to any argument or proposition, you just insert your topic of choice for "economy."
Well, I would say the same thing when looking at the relationship between the European Union ("EU") and the United States ("U.S.") when it comes to privacy promises and protections for the personally identifiable information ("PII") of EU residents. "Privacy is about trust, Stupid." I can lecture for days on regulatory compliance, legal strategy on managing the risks associated with PII, and even develop a data governance plan to help you do it all. But, sometimes it's better to use plain language. Privacy is about trust. Grasping that basic principle can do wonders for people and business, and the governments that serve both—especially just days after Data Privacy Day and a news-making Executive Order that made news for other reasons (more on that later).
A brief history of privacy between the E.U. and United States. The first thing to know is that the EU member countries, or "states," treat privacy as a fundamental human right. This is hardly surprising when one considers Europe's history with war and the ways in which personal information has been used to the detriment of citizens including surveillance, public shaming, and even genocide. By contrast and contrary to popular belief, the United States does not treat privacy as fundamental and explicit human right. Rather, the U.S. government has chosen to protect privacy in markets or sectors. For example, we have healthcare privacy (HIPAA), financial privacy (GLBA), consumer reporting (FCRA), etc. As technology grew and the mass transfer of PII became so simple, there also rose a friction between U.S. companies wanting to do business in EU member states and the laws of those states. The EU's Data Protection Directive (formally Directive 95/46/EC) was adopted in 1995 and regulated the processing of personal data within and outside the EU. In order to continue to do business using the PII of EU citizens (employees, consumers, etc.), U.S. companies had to satisfy the Directive's requirements and could do this, generally, in one of two ways.
Model Contracts & U.S. Safe Harbor. To this day, a company can still generally comply with the Directive and laws of the member states by negotiating business agreements with EU-based entities that transfer PII to the U.S. In those agreements, or model contracts, a U.S. company must make several warranties and representations as to how it will transfer and use PII of EU residents. Or, rather than negotiate hundreds of agreements, a company used to be able to self-certify with the U.S. Chamber of Commerce as a "Safe Harbor" company, meaning it had implemented the necessary data governance practices to ensure the requirements of the EU member states were met in moving PII to the U.S.
This lasted from about 1998 through 2015, when the Court of Justice of the EU held that the U.S. Safe Harbor provided an "inadequate level of protection" for the PII of EU residents. In Schrems v. Data Protection Commission, an EU citizen challenged U.S. Safe Harbor as not providing adequate protections of his personal information held by Facebook in the U.S. Schrems specifically challenged the adequacy in view of Edward Snowden's 2013 disclosure of the National Security Agency's Prism program. The Court agreed. Safe Harbor was dead.
Indeed, many people saw this change as earth shattering and shocking. However, as I have written before, it was hardly shocking. Long before the Schrems case, the U.S. had been labeled the "wild west" when it came to privacy by many skeptics in the EU. Snowden's disclosure just affirmed that lack of trust. The Court's decision helped to expedite already ongoing efforts to revise the Directive and put in place a stronger law.
New and Improved: The GDPR and Privacy Shield. The General Data Protection Regulation ("GDPR"), adopted in April of last year, will supersede the Data Protection Directive and is planned to be enforceable starting on May 25, 2018. Like the Directive, the GDPR regulates the use of PII inside and outside the EU. Similarly, the U.S. and the EU have jointly developed a compliance mechanism to replace Safe Harbor. The new version is called "U.S. Privacy Shield." Thus, U.S. companies expecting to collect and transfer PII from the EU will need to develop a Privacy Shield compliance program, or use model contracts. Indeed, since the GDPR's release, companies on both sides of the Atlantic have been analyzing the regulatory requirements and a strategy to comply.
Hold up. Wait a minute. This expectation and what compliance looks like may change significantly as a result of President Trump's Executive Order signed last week, in which it specifically states:
"Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."(emphasis added)
Now, by way of disclaimer, there indeed may be no impact on Privacy Shield as a result of this Order. The issue is in very much in flux, and both the EU and U.S. are currently posturing over whether there will or will not be an impact or if any transfers will be allowed at all. Regardless, the concern is reasonable. On its face, the Order rolls back some protections for the PII of EU residents (or any non-resident of the US). This represents a change from the original environment in which the GDPR and Privacy Shield were developed. Therefore, EU countries may balk at agreeing to see Privacy Shield as an adequate assurance for protection of resident's PII if the U.S. Government is changing the manner in which it will protect the information in its possession. EU countries may develop the same concerns as raised in the Schrems case; in short, there are not adequate protections against government collection and misuse of PII in the United States. There may or may not be an issue. However, even if there is no material change as a result of the Order, the point to be made is that mistrust exists based on previous representations by the U.S., and therefore additional scrutiny and potential delays may result.
The Trust Value Proposition of Privacy. So, I shared all of this not to render an opinion on whether Privacy Shield will survive or not. Rather, I share this story to reiterate a fundamental value proposition of privacy. Privacy is about trust, whether it is a relationship between consumer and company, companies and governments, or between countries. And, without getting into the political drama of our day, changing such a position or even the appearance of changing a position on privacy can lead to a weakening of trust between any two parties and have a real impact on business. Indeed, even the perception of a problem can be as negative as the presence of an actual problem. This is why trust is so critical. It enables parties to manage the ups and downs of a relationship without breaking that relationship or bringing business to a standstill.
And that is the point I would hope all businesses can take away from this recent development and apply to their business. Privacy is not just about compliance with laws and regulations. It truly is about earning and keeping the trust of your employees, customers and business partners. If you are not a trustworthy steward of one's information, customers can and will take their information (and business) elsewhere. Furthermore, establishing a sound data governance program including managing privacy and security not only enables you to respond to adversity more effectively and timely, but it also increases the chance that customers will stay with you until the storm passes.