.svg)
In the Privacy Soapbox, we give privacy professionals, guest writers, and opinionated industry members the stage to share their unique points of view, stories, and insights about data privacy. Authors contribute to these articles in their personal capacity. The views expressed are their own and do not necessarily represent the views of Didomi.
Do you have something to share and want to take over the privacy soapbox? Get in touch at blog@didomi.io
In the realm of things that appear only briefly before making a definitive exit, the time has come to speak of the Data Privacy Framework, a nervous moth born at the twilight of the European Commission, hatched in the air-conditioned vivarium of transatlantic diplomacy, and already, barely two years after its first timid flights, preparing to have its wings singed on the bluish lamp of the Court of Justice of the European Union.
What should we do with such a legal instrument?
Professionals in personal data protection are, of course, accustomed to relying on the concept of privacy-by-design. This principle, set out in Article 25 of the GDPR, requires that personal data protection be considered from the very first lines of code. In theory, it’s that idyllic moment when law and tech share a matcha latte on a sun-drenched café terrace. In practice, it’s more often a game of hide-and-seek between lawyers and developers: the former armed with their compliance checklists, the latter with their roadmaps. In any case, the atmosphere is convivial. Cancel your corporate retreats, if you really want to entertain your teams, just try applying privacy-by-design.
But as charming as its virtues may be in the corporate world, applying the concept of privacy-by-design to data transfers can raise serious ethical questions for any DPO. Because if one takes the mission seriously, if one sincerely intends to contribute to the edifice of personal data protection, shouldn’t one simply ignore any adequacy decision, whether it be called Safe Harbor, Privacy Shield, or the Data Privacy Framework? In other words, is applying privacy-by-design while relying on the Data Privacy Framework (a legal basis that is itself doomed-by-design) not potentially a form of professional misconduct?
Because doomed it is, the Data Privacy Framework, just as adequacy decisions in this area seem to appear as fast as they disappear. They vanish so quickly that one barely has time to grow attached; just as you’ve learned their nuances, it’s already time to say goodbye. Let’s do the math: fifteen meager years for Safe Harbor, four for the Privacy Shield, and, in all likelihood, just a handful for the Data Privacy Framework. While the name of the next iteration remains unknown, there is little doubt that a new adequacy decision will emerge to take its place if (or rather, when) the Data Privacy Framework is invalidated.
I’d like to take the opportunity of this article to offer a few suggestions to the international negotiators who will be tasked with preserving the impermeability of our digital lives in the future. My instinct would be to campaign fiercely (to take up arms, even) in favor of “Digital Bridge,” which would return us to the tradition of comforting imagery (Shield, Harbor, Bridge, River, Moonlight, Owl hoots on a summer evening, etc.). A consensus may instead form around the more honest, though bleak, “Provisional Compliance Mechanism.” But without a doubt, it is “Schrems-Resistant Framework” that would come closest to a version of the truth.
In short, it seems clear to me that any adequacy decision involving data transfers between Europe and the United States has about the same chance of enduring as a prestigious Neapolitan villa built near Mount Vesuvius. The Data Privacy Framework thus appears to have a definitive fate, similar to that of Pompeii or Herculaneum, in that it will one day be buried under several meters of ashes. And this, regardless of the ingenuity of the lawyers behind the final structure, no matter how refined the craftsmanship that may have animated these poor human creatures. A destiny fulfills itself, that’s just how it is. For it is certain that it will collapse, just as even the Schrems-Resistant Framework will one day collapse too, even if not because of Schrems himself.
Why this built-in fragility, you may ask? Quite simply because the volcano keeps erupting, and the data keeps spewing from the molten crater of our digital economies.
What’s new with the Data Privacy Framework is that, this time, it was also built on foundations of dubious strength on the other side of the Atlantic: namely, the sand-written premise of a presidential executive order. Which means that with every new tide, with every new election, it risks being erased by the waves. On that note, one will be paying close attention to the Trump tide, which, by firing three of the four oversight members for being Democrats, has already gutted the effectiveness of the DPF’s most important institution: the Civil Liberties Protection Officer (CLPO), the office where complaints from European citizens are to be examined. Having elevated this institution to the status of cornerstone of the DPF, the European Commission now stands out for its silence in the face of its collapse.
The Data Privacy Framework is therefore now under threat on both shores of the Atlantic. Never before have we seen a legal instrument so frail. A colossus with feet of clay, a cathedral of law balanced on a thread, a legal symphony built on scaffolding... there is no shortage of metaphors to describe the precariousness of the Data Privacy Framework.
Under these conditions, how can any DPO avoid burning out once a year? That’s a topic we’ll explore in a future article.
.avif.avif){kind=tracking}
