Last year’s European Court of Justice decision on “Safe Harbour” arguably caught both the European Union and United States somewhat by surprise, forcing them to reopen negotiations on a policy area that neither side had any real desire to readdress.
The ruling, which effectively nullified the existing arrangement facilitating data transfers between the EU and the US, gave the affected parties little choice but to work out a new agreement as quickly as possible.
With a preliminary accord on “Privacy Shield” having been reached, the ratification process has screeched to a halt, having been sucked into the stereotypical Brussels political quagmire. Endless discussions, hearings and working groups have not helped to generate any of the positive momentum which this agreement needs.
As a matter of fact, the Brussels bubble has spent so much time caught up in self-generated navel-gazing, that it may have missed out or ignored key developments on the other side of the Atlantic. Complications that could mean an even rockier road ahead for Safe Harbour’s successor.
In the United States, the Federal Trade Commission (FTC) has long been the country’s main privacy regulator enforcing essential consumer protection. However, last year, the Federal Communications Commission (FCC) took it upon itself to reclassify broadband internet service providers (ISPs) as “common carriers” outside the FTC’s jurisdiction.
Quite significantly, on March 31st, the FCC put forward a series of new privacy protection proposals for the ISP sector. However, these rules don’t apply to over-the-top communications service providers, who happen to be the ones handling the most user-generated data. This approach clearly does not reflect the way in which the internet really works.
Unless and until that decision is reversed either through legal action or through the US Congress which will ultimately have a final say on the matter, as it stands, the United States has two privacy regulators overseeing the digital economy.
Though it’s not a done deal, the FCC, thanks to its power grab, now handles major ISPs like Verizon, Charter, and Sprint while the FTC continues to oversee everyone else, including GAFA (Google, Amazon, Facebook, Apple) and beyond.
It’s an arrangement that would certainly raise eyebrows from a European perspective. Currently, a distinction is made by the EU between telecoms providers and other data processors, with additional “ePrivacy” rules applying to the telecoms providers.
Nevertheless, the debate is increasingly moving towards removing this distinction by applying, for example, ePrivacy rules to over-the-top communications service providers (such as WhatsApp and Skype) as well. There is increased awareness in Europe that data protection risks associated with companies such as Google are as great or greater than those associated with other internet service providers, and that old distinctions must be revised in order to keep up with industry developments.
Coming back to discussions on Privacy Shield, the Court of Justice decision stipulated that for a deal to be struck, the US must have data protection rules that are “essentially equivalent” to those of the EU. In the ensuing negotiations, the US did indeed repeatedly insist that the protection it provides is “essentially equivalent”, however, these arguments were based on the old blueprint applied by the FTC.
What we are seeing now in the United States is a glaring double standard. In discussions with the EU, the Americans insist that FTC rules are fair and robust, providing protection that is as good as what is on offer in Europe, and that the problem largely stems from a misunderstanding.
However, in domestic discussions, the authorities have decided that these same rules are not good enough for US citizens. Furthermore, there are valid concerns, as voiced by FTC Commissioner Maureen K. Ohlhausen, that this new set-up in the US, under which two separate authorities deal with the same issue, will lead to inefficiencies and inconsistencies in their approach to data protection.
As mentioned earlier, these developments could not come at a worse time in discussions with the European Union. With the talks on whether to accept the Privacy Shield finely poised, and data protection authorities, the parliament, and the commission all looking to weigh in, the EU does not need its negotiating partner suddenly changing its position. All this can and will inevitably lead to are endless talks, and worse still, further disputes.
What the EU needs from the US right now, on the other hand, is a negotiating partner that can be relied upon to stick to its position, both on home turf and abroad, and with which it can work efficiently to safely facilitate transfers of data, the lifeblood of the digital economy.
Newsletter, latest research and events