The end of Brexit, when it comes and whatever it entails, will obviously not mean the end of our relationship with the EU. It will not even mean the end of our negotiations with the EU over a wide range of issues (with doubtless endless future headlines of ‘EU being nasty to us’).
That message was hammered home in the last few days by the publication of the first annual report on the functioning of the new EU-US Privacy Shield, the arrangement for protecting the personal data of anyone in the EU which is transferred to the US for commercial purposes. The relevant EU Commissioner visited Washington for a couple of days in September to conduct a review with her US counterpart of the first year of the Privacy Shield’s activity, and the report of the review has just been published.
In advance, the Council of Bars and Law Societies of Europe (CCBE) declared its view on what should happen. Essentially, it thought that the European Commission should suspend the decision on the adequacy of protection provided by the Privacy Shield, on the basis that the US does not ensure a level of protection of personal data sufficiently equivalent to the one guaranteed in the EU.
The CCBE’s main argument was based on the wide access to personal data by public authorities in the US, brought about by lack of constitutional guarantees for non-US citizens, which has been made worse following one of President Trump’s earliest executive orders which denied non-US citizens access to the provisions of the US Privacy Act.
From a political point of view, it was never likely that the EU would suspend the Privacy Shield – although it may be forced to do so in due course because of cases wending their way through the Court of Justice of the European Union. The Commission can count itself lucky that it negotiated the Shield when President Obama was in office, since the current President has not shown much interest in negotiating agreements, despite his boasts to the contrary. Presumably the Commission’s current strategy is to hold on to the Privacy Shield at all costs, for fear of what might follow.
And so the Commission’s main theme from the review is to say that it ‘stands strongly behind the Privacy Shield … This first annual review demonstrates our commitment to create a strong certification scheme with dynamic oversight work’.
But the report goes on to make a string of recommendations for improvement, and these by their nature show that much is wrong. For instance, on the CCBE’s point about governmental access to the EU citizens’ data, ‘the Commission would welcome if US Congress would consider favourably enshrining in the Foreign Intelligence Surveillance Act the protections for non-Americans offered by Presidential Policy Directive 28’ [an Obama directive].
We know that the Trump administration has been slow in its appointment of public officials, and so, in relation to the infrastructure established for oversight of the Privacy Shield, ‘the Commission calls on the US administration to swiftly appoint a permanent Privacy Shield Ombudsman, as well as the missing members of the Privacy and Civil Liberties Oversight Board’.
Regarding a complaint made in passing in the CCBE’s paper, in relation to the certification process for US companies, the Commission recommends the following for the US Department of Commerce:
- companies should not be allowed to publicly announce that they are Privacy Shield-certified until the Department has finalised their certification;
- the Department should conduct regular searches for companies falsely claiming participation in the Privacy Shield; and
- the Department should also conduct compliance checks on a regular basis.
This does not sound like an arrangement going from strength to strength. Given these holes (and there are more), it is surprising that the Commission ‘stands strongly’ behind the Privacy Shield - but not, as I say, when the political background is taken into account.
The Article 29 working party, which brings all EU national data protection authorities together, has yet to give its view on the review, and so there may be fireworks yet.
In due course, the UK will be in the same position as the US, outside the EU’s data protection regime. We will adopt next year, before we leave, the most up-to-date EU legislation on the subject – the General Data Protection Regulation – but that will still not of itself bring us within the EU regime, since the key element of arbitration by the Court of Justice of the European Union will presumably be missing after our departure. So a mutual agreement will have to be reached.
Expect our relevant minister in due course to be involved in yearly wrangling with his or her opposite number in the EU to ensure that the UK’s equivalent of the Privacy Shield can continue.
Jonathan Goldsmith is Law Society Council member for EU matters and a former secretary general of the Council of Bars and Law Societies of Europe. All views expressed are personal and do not necessarily reflect the views of the Law Society Council.