Editor’s note: IAPP Research Director Caitlin Fennessy, CIPP/US, worked as part of the U.S. Department of Commerce team that negotiated the EU-U.S. Privacy Shield Framework, which governs trans-Atlantic flows of personal information in the commercial sphere.
Now, perhaps more than ever before, it is critical to understand how governments around the world protect the personal information they exchange with each other. In their just-released third edition of "The Guide to U.S. Government Practice on Global Sharing of Personal Information," Onfido Director of Privacy Neal Cohen, CIPP/E, CIPP/US, and Northrop Grumman Corporation John Kropf, CIPP/E, CIPP/G, CIPP/US, help us do just that.
Cohen and Kropf’s guide walks readers through existing accords that govern government data sharing and the principles and history that underpin them. The combination of these two elements provides stakeholders seeking to understand these information flows or develop new frameworks to protect the toolkit they need. With immediate demands for protected information sharing, such as those driven by COVID-19, and near-term potential for data flow disruptions, along with the pending Court of Justice of the European Union case challenging standard contractual contracts, this guide could not be timelier.
As governments collaborate to stem the tide of COVID-19 and future pandemics, information sharing will play a key role. Can that information be shared by U.S. authorities if it includes data about identifiable individuals? How will it be protected? The arrangements that Cohen and Kropf explore in this guide could shed light on these important questions. The U.S.-EU Passenger Name Record Agreement, for example, which governs the sharing of passenger name records, might come into play. While designed to combat terrorism, the agreement states that “PNR may be used when necessary for the protection of the vital interests of the data subject or other persons,” which Kropf explained could apply in the case of a pandemic.
This updated guide could also serve as a useful reference for those who need to develop or amend data sharing frameworks. The imminent CJEU decision in the pending Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems case could create such a need. The decision could affirm the status quo for commercial data sharing globally or leave government authorities scrambling to develop new commercial and government accords. If new frameworks are needed, what is the scope of the protections they could include? From what existing arrangements might they draw inspiration? Cohen and Kropf’s guide provides a host of examples.
“There are now approximately 7.5 billion people living in a hyperconnected world of globalized trade and mass communication,” Cohen and Kropf remind us in the first sentence of the guide. These individuals rely on tens of billions of internet-connected devices to exchange information and generate data points that zigzag across geographical boundaries. “Underpinning this world of constant global information exchange,” they explain, “are the sovereign laws of the countries in which these information exchanges take place ... that govern how information, including personal information, may be collected, stored, used, transmitted and ultimately destroyed.”
Cohen and Kropf explore how the U.S. government has worked for decades with counterparts around the world to preserve and protect these information exchanges despite the inherent tension that divergent legal approaches to data protection create. Maintaining these exchanges, the authors note, is vital to avoid “serious disruption to the free flow of people, goods and ideas; the effective enforcement of laws; and the ability to provide benefits to individuals.”
While the title of this guide might evoke high-profile revelations of data sharing between intelligence agencies, those issues are far from the focus of or impetus for this book. Rather, Cohen and Kropf systematically walk the reader through the history of government-to-government data-sharing arrangements and the principles and frameworks that have informed them. This historical perspective demonstrates that each new arrangement has been built on those that came before it.
The guide presents and discusses data-sharing arrangements ranging from Social Security “Totalization” agreements of the 1970s to relevant provisions in the recently negotiated U.S.-Mexico-Canada Agreement. It examines arrangements between financial and consumer protection regulators, law enforcement and national security agencies, and diplomatic corps. Cohen and Kropf consider how these bilateral and multilateral arrangements were informed by widely recognized fair information practice principles and the Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, adopted in 1980 and revised in 2013, which helped codify those principles.
They also explain how these arrangements have reflected and influenced domestic and foreign privacy developments. Finally, they discuss how technological evolution has increased the need for cross-border enforcement cooperation and arrangements to govern the data sharing that informs such cooperation.
Knowledge of this historical precedent offers those working to shape future information-sharing agreements a helpful menu of readily available options. Government officials crafting such arrangements draw heavily on the principles and protections included in past frameworks, by agencies across their government and others’. If it was agreed to before, in any forum, it is much easier to agree to again. Creative approaches in one discipline can inspire those in another. The guide’s lengthy appendixes, which make up the heart of the book, provide readers ready access to each of these agreements.
This holistic and up-to-date compendium of information sharing arrangements is meant to serve as a reference for lawyers, privacy professionals and others who seek to understand U.S. government practice for sharing personal information across borders. No doubt some of these readers will play key roles in analyzing, amending or developing future such arrangements. Understanding how U.S. commitments to data sharing and protection in this space have evolved will provide a helpful lens to guide their work.
Photo by Olena Sergienko on Unsplash
The guide is intended for lawyers, privacy professionals and individuals who wish to understand U.S. practice for sharing personal information across borders. The third edition contains new agreements, including the U.S.-U.K. Cloud Act Agreement, EU-U.S. Umbrella Agreement, United States-Mexico-Canada Agreement, and EU-U.S. Privacy Shield framework.
If you want to comment on this post, you need to login.