It’s already a cliché to say that there’s never a dull moment in privacy. Here comes the Equifax data breach followed in quick succession by Marriott and Capital One; there goes the Cambridge Analytica scandal with the U.S. Federal Trade Commission slapping Facebook a $5 billion fine; make way for Alastair Mactaggart with a new ballot initiative to supersede the California Consumer Privacy Act; now enter "Schrems II" with the invalidation of the EU-U.S. Privacy Shield. Lawyers are running around billing valuable time; engineers clamor for clear rules about server configuration and data location; regulators issue dense opinions and guidance documents; policymakers shuttle between Brussels and Washington.
Welcome to the world of privacy and data protection.
Less than five years ago, in "Schrems I," the Court of Justice of the European Union struck down the EU-U.S. Safe Harbor amid concerns about U.S. government access to data. The next day, the sun rose in the east, and data transfers went on.
Will this time around be any different? I venture to guess, no.
To be sure, the CJEU invalidated Privacy Shield. More than 5,000 companies that have relied on it will run for cover. Despite not hearing any evidence on this issue, the court didn’t approve of the national security laws of the U.S. Would it prefer the national security laws of China? Russia? Brazil, Israel, Canada or even Switzerland? That remains to be seen.
But the U.S., for now, is censured for not providing individualized judicial authorization for government surveillance and lacking due process and judicial redress for “non-U.S. persons.” Unfortunately, I don’t expect this situation to change. The standing requirements in the U.S. Constitution cannot be reconciled with legal challenges by individuals who are never told they are subject to government surveillance. And the Appointments Clause of the U.S. Constitution is not amenable to an entirely independent ombudsperson who would satisfy CJEU demands.
Round peg, square hole.
Standard contractual contracts, in contrast, live to see another day. Of course, the court cast aspersions over their durability as well. Companies can no longer simply sign and forget. They must continually monitor their ability to comply with the contractual terms. This is a good thing, given that critics consider SCCs to be a mere formality; a legal fiction, some might even say. Never once in memory have they been pursued or enforced in a court of law. Perhaps this will now change. The court acknowledges that SCCs are intended for use in countries that do not provide adequate data protection. So using them in transfers to the U.S. is still safe. However, the court now requires the contractual parties — and, as a fallback, the regulator — the adduce “supplementary measures” (paragraph 133) “additional safeguards” (paragraph 134) “effective mechanisms to make it possible in practice” (paragraph 137) to comply with the clauses. If a company can no longer comply, it must immediately cease to transfer data pursuant to SCCs or risk EU General Data Protection Regulation sanctions.
How will these additional safeguards manifest in practice? Expect the European Data Protection Board and member state courts to issue guidance on this in due course. For now, companies exporting data from Europe — to the U.S. or elsewhere — will have to live with some residual risk. It’s notable that the U.S. national security laws referred to in the decision apply to just a small fraction of companies that transfer data across borders. U.S. Foreign Intelligence Surveillance Act Section 702, Executive Order 12333 and Presidential Policy Directive 28 concern communication service providers, not retailers, manufacturers, health care or pharma companies, or the thousands of companies that use SCCs to export employee data to headquarters in the U.S. This means that the vast majority of companies can use SCCs in transfers to the U.S. Anyone who’s concerned about data being sucked up from undersea cables should encrypt their data in transit; they should do it anyway.
Importantly, after this round, too, the elephant in the room remains. Privacy and data protection laws are ill-suited to address concerns about government surveillance. The EU doesn’t even have jurisdiction over its own member states’ security agencies. In this respect, a U.S. privacy law won’t help. Neither will the California Privacy Rights Act advance California toward EU adequacy. These laws are cabined to commercial privacy. They wouldn’t affect the remit of U.S. law enforcement and national security regulations, such as the Electronic Communications Privacy Act or FISA. But when government surveillance is concerned, the U.S. isn’t the only culprit. Yes, the U.S. intelligence agencies have vast powers, but closer European neighbors, such as the United Kingdom and Russia, have robust national security agencies themselves, as do “adequate” countries, such as Israel, Canada and New Zealand (“Five Eyes”).
And then there’s China.
This week’s “other” big privacy news, the U.K.’s banning of Huawei’s 5G technology, puts the CJEU decision in perspective. Compared to the concerns surrounding China’s reach into Europe’s communications infrastructure, Max Schrems’ complaint against Facebook seems quaint. In contrast to the U.S., which has repeatedly tried to appease Brussels with agreements to soften the hard edge of data surveillance, China doesn’t even pretend to play the game. The general trend is worrying, with Europe pushing toward data localization, the internet risks balkanization.
Nevertheless, even after "Schrems II," data will continue to flow across borders, including from Europe to the U.S. Even China-based TikTok will unlikely be blocked in Europe or the U.S. The internet, after all, will not break. The show must go on.
Photo by Slawek K on Unsplash
If you want to comment on this post, you need to login.