Looking beyond transatlantic data transfers

President Barack Obama holds a meeting with Trans-Pacific Partnership leaders alongside the APEC Summit

The International Privacy and Data Protection Commissioners Conference brought together privacy regulators from around the world in Marrakech, Morocco late in October.

In recent years, the group’s discussion has been dominated by transatlantic issues. Last year in Amsterdam, the agenda was planned around the work of the “Bridges Project,” a two-year effort by privacy scholars on both sides of the Atlantic to reconcile differences in the U.S. and European privacy regulatory systems.  That agenda was overshadowed by the decision from the Court of Justice of the European Union just before the conference that blew up the main bridge between the U.S. and Europe, the Safe Harbor Framework.  Not coincidentally, that decision followed two years in which the Snowden leaks loomed over the proceedings.

This year, though, the new Privacy Shield framework is bringing a lull in the transatlantic data transfer battles, and European regulators are focused inward on the herculean task of implementing the EU’s new General Data Protection Regulation that goes into effect in 2018.

Meanwhile, half of the world’s GDP comes from countries outside the U.S. and EU, and that half of the world is adopting privacy and data protection rules for their increasing data flows to and from the U.S., EU countries, their own regions, and elsewhere around the world.  Some of their privacy policymakers have been restive about the transatlantic focus of data transfer discussions on the international stage.  This other half also has an increasing voice among regulators:  the privacy commissioners group is chaired by New Zealand’s commissioner, and next year’s conference will be held in Hong Kong, which has joined the group’s executive committee.

Seeking “adequacy”

A number of countries have lobbied the EU for recognition of “adequacy” under its privacy legislation, which would authorize transfers to these countries of personal data of people in the EU.  This is a slow-moving process: in the 21 years since the EU adopted its existing privacy and data protection directive, the European Commission has issued such recognition to just ten countries (half of which depend inextricably on ties to the EU: Andorra, the Faeroe Islands, Guernsey, the Isle of Man, and Switzerland).  Plus, the Commission has reached the sui generis arrangements of Safe Harbor and Privacy Shield with its largest economic, strategic, and political partner, the United States.

It is likely to be some time before the EU recognizes any additional nations as “adequate.”  The CJEU Safe Harbor decision a year ago ruled that European Commission’s approval of the Safe Harbor framework failed to address whether privacy protections for data transferred to the U.S. are “essentially equivalent” to those under EU law, including as against government access.  This omission applies to all the other adequacy determinations, requiring the European Commission to overhaul its template for making these determinations.

The Commission has indicated it will revisit its existing adequacy decisions, which include those for US “Five Eyes” intelligence partners Canada and New Zealand. The precise standards by which the Commission must decide whether any of these are “essentially equivalent” to EU law are vague, because the Court was addressing hypothetical absolutes on the basis of uncontested allegations.  Hence, the Court stated as a matter of principle that unrestricted “storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States” and “legislation not providing for any possibility for an individual to pursue legal remedies” to correct or erase data stored about them would violate EU fundamental rights, but the application of these hypotheticals to more nuanced situations remains to be seen.

Until the adequacy standard and review process is fleshed out, the Commission will be hard-pressed to issue adequacy determinations for any new countries.  These include Japan, which last year adopted a new privacy law closely modeled on European law with a keen eye on making an EU adequacy determination easier.

Moreover, the new data protection regulation makes the target move even more because the regulation changes the benchmark by which adequacy will be measured, though the language of the adequacy standard remains the same.  Numerous countries have based their laws on the European model; these include countries in Latin America and Africa that have modeled laws on those written in the languages adopted from their former colonial rulers.  All these countries may face revising their laws in light of the European regulation if they want the EU recognize them as adequate.  Such ratcheting of privacy rules is entirely consistent with the European Union’s ambition to set global standards for privacy.

From Atlantic to Pacific

The Asia-Pacific region has been developing its own approach to cross-border data flows.  The Asia-Pacific Economic Cooperation group (APEC) adopted a set of Cross Border Privacy Framework incorporating privacy principles in 2005.   In 2011, APEC leaders approved Cross Border Privacy Rules designed to protect privacy in transfers of personal data by agreeing to abide by the framework principles and be held accountable for such agreement.  So far Canada, Japan, Mexico, and the United States have made these rules effective in their countries by designating entities to monitor companies’ compliance with the principles.  Hong Kong, Singapore, and South Korea are exploring the same step.

More countries need to do the same and join the Cross Border Privacy Framework.  For companies, putting the APEC rules and accountability requirements into place takes substantial work, and having them work in more countries would make the effort worthwhile.  Putting the framework into effect is also an undertaking for governments, especially if the task of holding companies accountable is assigned to the privacy regulator rather than a third party (as in the United States).  But there is an economic benefit to lubricating flows of data across the region.  Singapore, for example, has achieved a number one ranking on the World Economic Forum’s “Networked Readiness Index” on the strength of policies promoting the use of information and communications technology and online services by its population; having a mechanism for trusted flows of personal information would complement and build on this competitive advantage toward Singapore’s “aim of becoming an Asian version of Silicon Valley” and a hub for regional markets.

To date, privacy laws around the world have tended to follow the European model.  Will the world wait for the EU to refine its model, or will it forge its own path? Harmonizing privacy systems – all singing the same tune – is hard.  What is needed is interoperability.  Think Mac and PC: once, you had to use one or the other, but now that applications have adapted, it’s possible to move seamlessly from one to the other.  On that a global conversation has begun, but it has long way to go.