Politics aside, we can take it for granted that the recent revelations about the PRISM programme are likely to have a direct effect on the EU data protection legislative reform. Details of the programme are still pouring in but according to the reports already in the public domain, under PRISM the US intelligence services have direct access to the content and traffic data available in the servers of all of the leading Internet communications companies. Whether those reports are entirely accurate will now hardly matter from an EU public policy perspective. You can count on the PRISM story being used as a strong argument in favour of a tough stand on the future EU privacy framework.
Apart from the obvious ‘I told you so’ justifications for a strict and wide reaching data protection regime in Europe that will populate much of the political rhetoric from now on, there are specific provisions in the draft Data Protection Regulation that may end up being the perfect recipe for a conflict of international laws. In particular, the PRISM revelations will increase the reluctance of the EU Parliament to allow disclosures of personal data in response to a legal obligation or public interest duties which do not specifically emanate from EU law. Therefore, any hopes of widening the current references in the draft Regulation to “European Union law or the law of the EU Member State to which a controller is subject” as a basis for either justifying data processing operations which are necessary for compliance with a legal obligation or the performance of a task carried out in the public interest are now substantially smaller. What this means in practice is that global organisations operating in the European Union may be left facing a conflict between complying with legally binding non-EU duties or avoiding a breach of EU data protection law.
The other aspect of EU data protection law directly affected by the PRISM story is the restriction on international data transfers. This is indisputably one of the greatest compliance challenges for EU organisations and one that many of us were hoping would be more pragmatically addressed in the new law. What are the chances of that now?? My guess is that this sort of story is the perfect ammunition for those who seek to maintain the pureness of ‘adequacy findings’ and therefore, it will make it more difficult for any country – not least the USA – that wishes to be regarded as providing an adequate level of data protection. In addition to that, all of the other mechanisms and exemptions to overcome the restrictions on international data transfers – Safe Harbor, contractual arrangements, BCR, transfers made on the grounds of public interest – will be much more closely scrutinised, so global data flows will remain a focus of regulatory attention.
At times like this, it becomes more essential than ever to keep a clear head and get the facts right, because achieving a realistic and balanced legislative outcome with the appropriate safeguards and a degree of pragmatism is as important as respecting our privacy.