Share This Page


EU-US Privacy Shield – A Tale of Two Citizens

March 25, 2016

Detailed Illustration of USA Europe Deal People Isometric

The dust from the transatlantic data flow chaos is beginning to settle, what do you see emerging from the disarray? Do you see just the new European Union – U.S. Privacy Shield? Or, do you see people? Who do you see?


Here’s a little help.  Edward Snowden, 32 year-old American, and Max Schrems, 28 year-old Austrian have emerged from the trans-border data confusion. Celebrated or despised, they are game changers. They’ve moved governments to historical actions for the public’s privacy interest. If you ask them they both seem to be saying the same thing along the lines of people needed to know what’s going on about them and what the government and technology firms are doing with their private information. By so doing, these two have historically also changed the rules of the data market place. The resulting EU-US Privacy Shield agreement is replacing the 15 year-old Safe Harbor and will impose stricter access and transparency obligations on U.S. government activities; insist on stricter data-handling obligations on U.S. technology firms who do business in the EU or collect and use EU citizens’ information; and improve the mechanisms that will facilitate complaints and remedy for EU citizens’ whose privacy has been violated.

Whew! That’s a mouthful!

©Mari Helin-Tuominen 2016, for Unsplash

Snowden, a former employee of Booz Allen and a United States National Security Agency (NSA) contractor is known for his unauthorized disclosures of classified NSA’s global surveillance programs, documents, and activities (not limited to government monitoring of emails, phones and Internet activities of private citizens).  As a result, since these disclosures in 2013, Snowden is a ‘wanted’ man and now lives under an extended asylum in Russian.

Is he in trouble or what? The Department of Justice’s charges against Snowden are two counts of theft of government property and violation of the Espionage Act. Some say he might never walk a free man on U.S. soil.

Who is Schrems? An Australian activist who has focused his campaign against Facebook for its privacy violations of EU laws, including inappropriate surveillance of private EU citizens and unauthorized private data transfers to the U.S. Hence, Europe v Facebook. His persistent efforts led to numerous complaints and law suits against Facebook since 2012.  Finally in 2015, following a series of complaints and legal battles, Schrems persuaded European Court of Justice (ECJ) that Snowden’s evidence is admissible in court against U.S. government for its mass surveillance programs and violations of EU citizens’ privacy.

Not trying to be funny, but neither Snowden nor Schrems had planned their efforts to intersect in this manner. It just happened at the right time for Schrems.

©Luis Llerena 2016, for Unsplash

Established in 2000, the Safe Harbor framework agreement that originally streamlined a means for U.S. government and private organizations to comply with the European Union’s Directive on data protection was (shockingly) declared ‘invalid’ last October.  The European Court of Justice (ECJ) made this decision owing to aforementioned factors such as Snowden’s revelation of U.S. government excessive surveillance activities on private citizens. Simply put, what the ECJ decision is saying to the U.S. government goes something like, if you’re violating your people’s privacy, you’re also violating the privacy rights of our people simply because you’re pulling from the same repository (Facebook, telecommunications, technology firms’ databases, etc.) that store personal information from people all over the world including from EU citizens.  We agreed on the Safe Harbor agreement to protect the privacy rights of EU citizens but you’re violating the agreement. You’ve blown it!

The effect of ECJ decision has been distressing for U.S. federal government, big businesses, but also small U.S. technology firms who provide services online in the EU market space. Not only have they felt the drastic decision and all the expenses that the sudden change has brought on business activities but have scrambled around since October 9, 2015 searching for answers to resolve the impact the court’s decision has had. Impact on both business continuity as well as compliance in the absence of a ‘valid’ framework for trans-Atlantic transfer of personal data from the EU to the U.S. For the businesses the question has been, what’s worse, continue business as usual and violate EU citizens, or don’t do anything and still violate EU citizens? Ok, what’s at stake? On EU and U.S sides an economic relationship worth about a total of $2 trillion annually and about $8 trillion in investments.

©Olu Eletu 2016, for Unsplash

By the way, you’re almost done reading this post.

As a member of management you can’t deny that the global market place is about people and is for people, not technology. You can’t ‘science’ your way through every data problem especially the ones involving people. People and their interests matter whether they’re internal or external to your organization. Whether these people are working for you or working for themselves, or working against you. Technologies are not the problem. Yeah, it does give them power. More so, their voices and their actions give them the most power to move or influence a change in you, to push regulations, and frustrate your controls, business, and mission.

People will force you on the right path, if you’re not already on it.

Don’t ignore them. They keep your business running, so invest in training them. It can be an expensive option if you let them force you to meet your own privacy obligations. With your reputation on the line, it’s an embarrassing situation. Employees might be the “weakest link” or most vulnerable but they can drag your reputation in the mud in a day and make you stop and pay attention.  They have minds, perspectives, values, morals and privacy needs of their own and want the same for other citizens. There’s nothing weak about that.

So realize that in 2016 your people understand privacy laws and rights, are more aware of their rights than ever before, especially when those rights are violated or they suspect violations. Look around you. Who is the Snowden among your employees? They’re talking directly and indirectly. Verbally and otherwise. Are you listening, or getting the cues?  What are they saying and what do they want? What can you give? What can you do? What will you risk if you do nothing?

And, what about the people outside that keep your business in existence?

Like customers and consumers? Yes. Who is the Schrems among them? What do they need? What can you change? What are they saying and what do they want? What can you give? What can you do? What will you risk if you do nothing?

Really, how powerful is one individual or two? Now you know. Snowden and Schrems. Take a closer look at your organization’s data privacy obligations. Start here.

And, don’t forget to join me at the ISSA International Conference in Dallas this November!

Comments are closed.

Share This Page

Social media & sharing icons powered by UltimatelySocial