EU frets over Privacy Shield adequacy, and NGO insists, emperor still naked

The Commission of the European Union is reviewing the U.S.-EU Privacy Shield framework for conformity with the General Data Protection Regulation (GDPR), and NGO AccessNow is again demanding an inadequacy finding.

A lot is at stake.  For the uninitiated, European regulators have a dramatically different take on the protection of personal information than the free-wheeling free marketeers of the United States.  I've written some about the problem here and elsewhere (e.g., here and here), arguing that the American people are not so far from European privacy norms, but it's our law that lags behind the democratic will.  For my money, the definitive macro analysis of why American and European approaches to privacy have differed is James Q. Whitman's.  Anyway, the GDPR does not allow the export from Europe of information to countries that do not comport with its privacy protections, and that creates a monumental problem for the trans-Atlantic flow of not only information, but commerce.

The problem is not new and existed under the GDPR's predecessor law, the 1995 Data Protection Directive (DPD).  A number of mechanisms were devised to work around the problem, and they were approved by European regulators under the umbrella of "the Safe Harbor agreement."  But it's widely understood, at least on the European side, that Safe Harbor was something of a sham: No one with a straight face could argue that U.S. law was comparable to the DPD.  Safe Harbor in practice comprised mostly industry standards, voluntarily adopted and barely enforced by U.S. regulators.  There's also an important piece of this problem in the vein of national security, government spying, and personal information; I'm not even getting into that.

Privacy Shield is stronger than Safe Harbor, but the GDPR is a lot stronger than the DPD.  There have been remarkable advancements in privacy law in some states, notably California, in the EU direction.  And quite a number of court challenges have followed, winding their way through the process, some derived from objections in the commercial sphere, some the civil rights sphere: you've probably heard of "the right to be forgotten."  But our patchwork state laboratories hardly sum reassurance to Europe.  So in the absence of a comprehensive peace offering at the federal level, the debate over the EU's adequacy determination regarding Privacy Shield pretty much boils down to whether or not we're going to admit that the emperor is naked.

AccessNow, a global NGO and sponsor of RightsCon, has consistently called for honesty about the emperor's sorry state.  A recent memo calls on the Commission to rule Privacy Shield inadequate, and AccessNow has invited republication of a new infographic in support of its position.  I hereby oblige. It's past time we get serious about protecting personal information in the United States and stop commercial exploitation of human identity upon industry's abusive invocations of civil rights such as the freedom of speech and freedom to contract.

[UPDATE, 23 Oct. 2019, at 13:53 U.S. EDT: Privacy Shield still good, per EC report issued today.]