There's never a dull moment in the world of privacy. This was proven again July 16 with the Court of Justice of the European Union shaking up the space with its decision to invalidate the EU-U.S. Privacy Shield and uphold standard contractual clauses with more explicit provisions on adequacy and protection standards for EU data transfers with third countries.
On an IAPP LinkedIn Live session the day following the decision, Irish Data Protection Commissioner Helen Dixon acknowledged the double-edged sword the court's ruling represents. Dixon, who initiated the case, admitted that "none of us may like the answer that (the CJEU) came up with" considering the new challenges it creates, but she made it clear her office was "significantly satisfied that the judgement does deliver clarity on the key issues that we needed decided by the CJEU."
Companies are undoubtedly among the disappointed parties, now having to scramble back to the drawing board on how to maintain or reestablish means for a transfer without Privacy Shield to facilitate them. Dixon said an immediate starting point for organizations is to realize their own responsibilities in establishing a protected, lawful transfer.
"The onus is on the companies in the first instance to conduct the analysis," Dixon said, adding the accountability requirements set out in the EU General Data Protection Regulation will help demonstrate assessments. "The company is obliged to suspend or not initiate the transfers based on the documented analysis it conducts."
DLA Piper Partner Andy Serwin, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, concurred with Dixon's suggestion but noted that data transfers and responsibilities for their security are a two-way street.
"The burden is on the data exporter, but we all know where it’s going to get pushed," Serwin said. "The data importer is going to have to be able to answer questions sufficiently enough to get the exporter comfortable with where it’s going. It’s incumbent on the U.S. companies that are importing to start to figure out how they can talk about this with European exporters so everyone can get on the same page."
The analysis companies take up will largely need to focus on whether the data moving between countries has or could be subject to national security requests. In Serwin's view, the CJEU found "some structural concerns on a remedial front" as it pertains to potentially amending U.S. surveillance laws to help meet EU adequacy standards, which means organizational remedies will be key.
"You can't contractually change U.S. law," Serwin said. "As a U.S. company, you can't contractually say 'we're going to get (Foreign Intelligence Surveillance Act) requests' and then not respond. Probably the first thing you can do is be very transparent about at least what you can say about the number and volume of (requests) and say what they're seeking without violating the law. That's where this has to go to start."
Serwin added that data minimization or encryption practices present potential non-regulatory remedies, noting that those practices create a situation where "if you don't have the data, the government can't get it from you."
The good news for some from the CJEU's decision was the confirmation that SCCs will remain in place. The obvious question, depending on one's interpretation of the ruling, is whether SCCs can be applied to data transfers to the U.S. In a statement, Dixon and the DPC voiced their skepticism, calling the use of the mechanism with the U.S. "questionable."
Dixon said during the LinkedIn session that the DPC's stance on SCCs and the U.S. was a "preliminary statement" that required further examination, consultation and guidance.
"We’re not making a definitive statement at this point, but we wanted to put our cards on the table with the rush by some to suggest SCCs are the automatic solution to the 5,500 of companies impacted by the Privacy Shield invalidation," Dixon said. "We haven’t just swiftly come to that conclusion."
Dixon later warned that binding corporate rules likely can't be considered as a definitive alternative to SCCs because they "won't be applicable" as they "are not a broad-based or flexible solution."
Devising a solution on transfers won't be an easy task, but it has happened before. The CJEU's "Schrems I" decision in 2015 ended the EU-U.S. Safe Harbor — over the same U.S. government access concerns cited in the latest ruling — but spurred the creation of the Privacy Shield program.
Serwin suggests changing definitions and adding safeguards specific to EU residents in surveillance laws like FISA might pave the way to a new EU-U.S. framework. Even if there's political willingness to create such reform, though, underlying ideological differences on privacy may persist.
"The real challenge has always been that the U.S. views privacy as a property right and Europe views it as a fundamental right," Serwin said. "How do you square up a fundamental human right view with a property right view?"
If you want to comment on this post, you need to login.