The Privacy Shield agreement governing transfers of personal data from the EU to the U.S. is dead, or, at least, that’s the position of the EU, whose Court of Justice declared it legally invalid last week. The U.S. Dept. of Commerce’s initial reaction was to stand behind the Shield. As is often the case in a divorce, only one party wanted out.

This is the kind of break-up situation that could get messy. If things are not handled right, we might be looking at another War Of The Roses situation (of the Michael Douglas and Kathleen Turner type, not the Houses of Lancaster and York), where gains and benefits achieved incrementally and gradually over time to the mutual benefit of both parties are lost quickly, due to a failure of give and take.

Upset couple in self isolation wearing face mask and protective gloves bored in home bedroom sitting … [+] on bed looking away.

Getty

Someone has to back down

In rejecting the Privacy Shield, the EU has rejected its own progeny. And it has done this twice, as far as transfers of personal data to the U.S. are concerned. The first time was in 2015, when it abandoned the Privacy Shield’s elder sibling, Safe Harbour. So, what is going on here?

What we are seeing is a classic disconnect between political ambitions.

High ideals

On the one hand, the EU has a political ambition to achieve its human rights agenda. Therefore, it has adopted the General Data Protection Regulation (“GDPR”) and other laws before it, to give life to this agenda in the context of data processing activities. Due to the high ideals of this agenda, the EU has bound itself in law to achieve its standards of data protection for all personal data of European origin, wherever they may end up in the world. It is easy to understand where the EU is coming from.

However, that is where the problems begin, because the EU is sovereign only within its borders. The laws of other sovereign nations are not the business of the EU, except where treaties or other sources of international law say otherwise. As far as matters of national security, public security and law enforcement in the U.S. are concerned, they are plainly the U.S.’s business.

Realpolitik

On the other hand, there is a political job to be done. That is to keep data flows going and the wheels of the global economy moving.

Politicians in Europe understand these issues and are as versed in realpolitik as politicians anywhere else. It was a realpolitik mindset that enabled the creation of the Privacy Shield.

Privacy Shield was the compromise, deliberately so, and everyone knew it, but it was the best that the parties around the negotiating table could come up with at the time, within the circumstances they were facing, which included a desire to avoid making impossible demands of one another, especially demands about climb downs from sovereign positions. Politicians versed in realpolitik know that matters of sovereignty can be red line issues and walk away points for sovereign nations. Check out Brexit for further proof of what can happen when compromise on points of sovereignty fails.

There was a back down of sorts

Judges can be political too. They might have been political in the Privacy Shield judgment, by providing a stay of execution over the EU Standard Contractual Clauses, so as to keep them in play for data transfers to the U.S.. We will probably never know the answers to all of the questions that arise from last week’s judgment, but, regardless, the starting point for the judges was to interpret the legislation based on what it says and what it means. When they did that for the GDPR and its effects for the Privacy Shield, the judges concluded that the two legal instruments could not be reconciled.

In this whodunnit the clues are not hidden and their meaning is not disguised. Europe’s political ambition to achieve its high ideals in human rights for European personal data, wherever in the world they are found, clashed with its political ambition for compromise for the gain of smooth operations on the global stage. The GDPR is high ideals. The Privacy Shield was compromise. GDPR killed the Shield.

The EU’s killing of its own compromise means that we have been returned to the starting point, with sovereign positions being in conflict. There are lots of opinions being offered on what to do next, within which is a small but vocal chorus in Europe saying that the only way to break the deadlock is for the U.S. to back down and change it laws, with the threat of a ban on data transfers if it does not, because the EU will certainly not change its laws.

That kind of mindset does not help to resolve the real issue. The EU cannot command the U.S. to change its laws and it knows it. The U.S. still has the whip hand. A highly confrontational approach to resolving the current problems will be in nobody’s interest.

Risking self-isolation and lockdown

A highly precipitous and rapid reaction to last week’s judgment is therefore best avoided, which is understood within parts of the EU’s regulatory community, which has been handed the mess by the Court of Justice. The European Data Protection Board, which is composed of the data protection regulators of the EU Member States and various officials from the EU institutions, confirmed in its initial reaction to the judgment that it will play a constructive part in securing transatlantic data flows. The UK regulator has been crystal clear about its wish to maintain global data flows.

Some of the German regulators seem to be taking a different position. The view in Berlin is that data flows to the U.S. should be stopped. The Hamburg regulator is predicting “hard times” for international data flows, while holding the view that the Court of Justice came to the wrong answer on Standard Contractual Clauses. It’s easy to see where that is heading.

Europe versus the rest of the world

If a privacy conflict with the U.S. was not big enough, Berlin and Hamburg are also indicating that there could be run-ins with other geopolitical and economic powers. China, Russia and India have been named. The UK is also being flagged.

Yet, there is next to no chance of the EU banning data flows to the US, China, Russia, India and UK (and there are lots of other countries that can be added to a list of those that do not, or may not, see things on privacy and data protection exactly the EU’s way). The EU has no desire to isolate itself from the rest of the world, or lockdown its economy.

EU Member States versus US businesses

Instead, if there are to be global privacy conflicts, they are more likely to be between individual Member States of the EU and individual companies with non-EU headquarters. Regulators, such as the Data Protection Commissioner in Ireland, and those in Berlin and Hamburg, will eventually get their opportunities to make their mark, exactly as the EU Court of Justice has set them up to do. Very big decisions will then rest on the shoulders of a few individuals and we will see how far they will take the goal of continuous data protection for personal data of European origin and at what price.

Perhaps as the UK has recently done with Huawei (regarding Huawei’s role in UK telecommunications infrastructure), there will be a willingness in some EU Member States to take spot action against some US businesses on privacy and data protection grounds. From there, anything can happen, but the bigger is the interruption caused to the other side’s economic interests, the bigger are the chances and risks of payback.

High ideals and realpolitik may clash once again, but the incentives for a compromise to avoid a messy privacy divorce are huge, providing hope for the future.

