A whole year has passed since the Court of Justice of the European Union struck down the EU-U.S. Privacy Shield and effectively shook the privacy space. Privacy professionals are still considering whether true progress been made toward a solution to stabilize and safeguard international data transfers during the last 365 days. The answer varies depending on who's being asked.
IAPP Research Director Caitlin Fennessy, CIPP/US, Hogan Lovells Partner Eduardo Ustaran, CIPP/E, and NOYB Founder Max Schrems dissected the CJEU's decision and its potential ripple effects the day after the ruling came down last July, and the three reconvened a year later on a LinkedIn Live session to explore where things stand now and where they might go as the debate around this data transfer dilemma rages on.
On whether companies are positioned to address necessary safeguards to complete a transfer without privacy infringements, Ustaran has been encouraged by the tools made available to address issues. Options are there in the form of the European Commission's new standard contractual clauses or the European Data Protection Board's recommendations for supplementary measures for transfers. Though he admitted the tools are not concrete solutions but serviceable for the interim.
"The reality is that transfers are not just going to stop," Ustaran said. "There are a number of tools that are explored and implemented daily — contractual, organizational and technological — to provide that level of protection when data is flowing around the world. For that reason, it is possible to apply that solution while we find the long-term solution for the future. The two things are compatible. One is an immediate solution in the hands of organizations and the long-term is in the hands of the governments of the world."
Encryption is a widely regarded and used tool to ensure a transfer is able to level up to EU data protection standards, but issues regarding who holds encryption keys weaken the argument for adequate protection. However, Ustaran indicated the use of a third party could facilitate proper encryption.
"To rely on encryption when the importer can easily decrypt the data isn't that helpful when all the government needs to do is to ask for decryption," Ustaran said. "If the key is held by a third party, leaving the importer no right or authority, this is one step removed from whoever is holding the key. … But the moment you put in a technological barrier, you are putting a barrier to functionality. I think it's important to understand what happens if a third party has a key and it isn't available, loses the key or anything like that."
Schrems, whose complaint against Facebook to Ireland's Data Protection Commission brought Privacy Shield's demise and whose earlier legal challenge in 2015 led to the invalidation of the EU-U.S. Safe Harbor Framework, rebutted Ustaran, opining companies "are not technically asked to figure any of that out" as far solutions go. Putting the responsibility back on governments, he added transfers in general were built on "very shaky legal ground." The uneasiness regarding the legality of transfers, according to Schrems, circles back to a general ignorance of EU data exporter laws and reliance on Safe Harbor and Privacy Shield, which he deemed "more of a political deal than a legal one."
"I think we're continuing in the legal bubble to try to somehow save this system that has simply proven to not work," Schrems said. "It's a substantial fundamental issue where we have a clash of jurisdictions. … I just don't see much opportunity for a solution. … We simply have a lot of trying to cover this up with paper happening again."
Among the clear responsibilities falling directly on companies in the wake of the CJEU decision is the requirement for them to do adequacy assessments prior to executing a transfer to a country not deemed adequate by prior agreement with the European Commission. Ustaran believes the assessments are an indication of a successful ruling, noting how the CJEU's aim was to have data "protected in accordance to European standards when it's traveling around the world." What's unclear with Ustaran is how the rest of the world fits in with the focus of transfer issues being limited to U.S. surveillance law and government access to data.
"What about the rest of the world and the countries where we don't speak their language or the academics analyzing the law?" Ustaran asked. "Quite frankly, the global view is that most countries are going to have powers to access data. The starting point is we better figure out how to protect it on the assumption that, around the world, most countries empower their authorities to have access."
While Ustaran looks at the situation from a global perspective, Schrems is focused on effects in the EU and upholding the right to data protection for EU consumers as their data moves. With that objective in mind, Schrems suggested data localization and halting the movement of EU data abroad may prove the easiest path to keeping privacy intact.
"It's not the goal, but it might be the solution," Schrems said. "It's something more and more people come to realize. You can pay a law firm a couple thousand euros to come up with papers the next time this goes to court or you can invest the same money into moving your systems. If you're moving to a new system then you may want to consider that."
The IAPP created an infographic outlining the decision by the Court of Justice of the European Union, declaring the EU-U.S. Privacy Shield arrangement is invalid.
The IAPP is publishing these frequently asked questions and links to relevant resources from government authorities and privacy practitioners as a resource for privacy professionals working to respond to this significant court decision.
If you want to comment on this post, you need to login.