From ‘Safe Harbour’ to ‘Privacy Shield’, what’s next? Data Asylum?
How Max Schrems shook privacy up.
Max Schrems took to twitter for his great unveil:
Breaking: The EU’s Court of Justice has just invalidated the “Privacy Shield” data sharing system between the EU and the US
The privacy community is in a state of agitation. “Uncertainty”, upheaval” and unstable” are all used to describe post Schrems EU/US data trade.
So, what does this mean?
- The court set out the limited conditions which allow data transfers to persist. The faucet/tap is not completely off.
- The problem stems from the US intelligence surveillance laws (i.e FISA). US intelligence is both a rock and a hard place for the EU.
- Surprise! Conferral of privacy law ‘Adequacy’ on a third country by the EU is the gold standard.
- The Right to Privacy and the Right to Data Protection in the EU is serious and limiting those rights have serious consequences.
- Brands are responsible for determining their own view of ‘adequacy’ country by country.
- There will be a ‘Privacy Shield’ replacement.
- Schrems III will follow immediately afterwards,
‘Privacy Shield’ and ‘Safe Harbour’ were a quick fix. A kludge to reconcile the US/EU data protection round hole and square peg – human rights vs
property rights; general scope vs sector specific.
‘Privacy Shield’ was the chlorinated chicken of data protection. Just replacing ‘Privacy Shield’ with ‘Data Asylum’ (sic) is unsustainable without US change. •
In 1997 the EU banned all imports of US chicken. If you put the ban under a microscope you say the problem is the health effects of chlorine decontamination sprays. If you swap the microscope • for a telescope, you say the US food production system is incompatible with the EU vision of “farm to fork”, and the values that underpin it.
Two ways to frame a problem. When a challenge is big enough it merits not one or the other, but both approaches. Extinguish the burning platform and find your north star. The firefighting has started.
Time for strategy. Time to be values led. Time to manage the data supply chain. And, importantly, time to bring the user, the data subject, the customer and the citizen – all one and the same person – centre stage. What do they expect?
Remember, the Court took its decision because of the potential implications for people not data.
At PEA we are vocal about the way privacy is experienced not just because it is makes sense, but because it is all too often ignored.
Chlorinated privacy is not the answer.
You find the answer, as is often the case, by starting with your customers and working back from there.
Key Takeaways
-
Look externally – build scenarios which allow you to identify and rehearse how US/EU data protection regimes effect your operating model. This is the tool for uncertain times.
-
Look internally – connect brand values to privacy and create tangible principles which allow you to decide, with laws as a baseline, what is and is not material to your brands version of “adequate”.
-
Stand up and speak out – prospects and customers, activists and regulators need to understand what, how and why you are demonstrating the way you protect data. Transparency and accountability need a privacy communications strategy to be realised.
PEA was founded to solve these problems – creating privacy communications strategies that customers, activists and regulators understand
”Schrems requires many brands to make significant changes to their privacy processes and operations. This should be an opportunity. Now brands must come to their own view on ‘adequacy’, it must be arrived at with legal opinion, brand values and customer expectations
