2: The EU will focus its fines on U.S. tech companies.
The limited fines the EU DPAs will undertake after its deadline passes in January will focus on the iconic companies of Silicon Valley and the Pacific Northwest. Why? Four reasons: history, the Snowden revelations, momentum and perceived ability to pay.
- History: The 1980 showdown. The U.S. and Europe faced a similar situation on privacy in Paris from 1978 to 1980 at the Organisation for Economic Co-operation and Development (OECD) negotiations on the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. According to Australia’s chair of the talks, Europe called for the negotiations because of its concern over growing U.S. dominance in the new industry of information technology. They were purportedly worried that the U.S. would structure the Information Age without regard for European privacy rights, but also that Europe could be left behind economically. That antithesis toward the U.S. tech sector has since only increased.
- Snowden revelations. Some of the files Edward Snowden released depict surveillance activities of iconic U.S. tech companies. Because the decision of the European Court of Justice (ECJ) invalidating the Safe Harbor cited U.S. surveillance activities as of 2013 as the main sticking point, those companies could be top of mind for the DPAs.
- Momentum. Several EU regulators are already investigating some of these same American companies.
- Ability to pay. The combined fining capacity of the 28 EU DPAs would be a blip on the cash radar for the largest Silicon Valley companies.
3: Europe won’t invalidate the Safe Harbor alternatives.
Observers have noted that the rationale of the ECJ’s decision invalidating the Safe Harbor could also be extended to so-called model contracts and binding corporate rules (BCR). Model contracts are intercompany agreements committing the U.S. importer of European personal data to Safe Harbor-like requirements. BCRs are a company’s privacy program approved by European DPAs in a way that binds the corporation’s board to enforce them.
Why won't Europe cancel model contracts?
- Not in the DPAs’ interest. European DPAs are publicly touting the ECJ decision as a victory for EU privacy — but privately foreboding a wave of inbound citizen complaints they are required to investigate. None has the resources to meet any kind of sustained surge in inbound complaints. Overturning model contracts would do nothing to mitigate this avalanche and might even trigger it.
- Courts proceed case by case. If DPAs dismiss citizen complaints against model-contract situations, the citizens’ next stop is the courts. The courts in turn will review these complaints case by case. The nature of these complaints will be specific to individual companies, and so will the court decisions. They won’t cancel all model contracts en masse.
Sign up for CIO Asia eNewsletters.