Hot Topics
Cyberlaw Cybersecurity Featured Governance, Risk & Compliance Security Boulevard (Original) Spotlight 

Understanding the EU Data Privacy Decision

Avatar photo by Mark Rasch on July 23, 2020

Data privacy is the core tenet of the EU’s GDPR, which is wide-reaching and comprehensive

On June 16, the European Court of Justice issued its long-awaited decision in Facebook Ireland Ltd. v. Maximillian Schrems, more commonly referred to as Schrems II. To understand its meaning, you have to understand some basics about data privacy law and transborder data flows.

In general, the EU, under the General Data Protection Regulations (GDPR), has data privacy laws that are both strong and comprehensive. They require reasonable data privacy rules for all personal information and special privacy rules for certain sensitive personal information (e.g., political information, sexual information, medical information). They limit what data can be collected, shared, sold and processed, and give data subjects rights of access, correction, deletion and knowledge about information transfers. They restrict data collection, storage and use to the minimum necessary to accomplish a legitimate purpose, and require that the data be kept only for the minimum amount of time to accomplish that purpose. They also require security for such data and that all parties that collect, store, process or have access to that data agree to those protection requirements. Finally, the EU, unlike the U.S., has strong and effective regulations to enforce these rules, which include Data Protection Agencies (DPAs) with the ability to impose substantial fines for non-compliance.

The U.S., on the other hand, has a patchwork quilt of data privacy laws and regulations, typically based on the nature of the information or the jurisdiction of the data subject. So, while California has reasonably comprehensive data privacy laws (including the California Consumer Privacy Act, which went into effect this month), most federal and state laws apply to specific types of information such as healthcare data collected by “covered entities,” or consumer phone records or cable TV records. Not only does the U.S. lack a comprehensive data privacy law, the enforcement mechanism most often is via the Federal Trade Commission (FTC) and its authority to regulate trade practices that are “deceptive” or “unfair.”

And here’s the problem: To protect the privacy of EU residents, the GDPR prohibits the transfer of EU privacy data from a jurisdiction that has “adequate” privacy protections to one that does not. And the U.S. does not.

To solve that problem, the EU had two workarounds. The first is what was called Standard Contractual Clauses (SCC). A U.S. company that wants to create, store, process and transfer data about EU residents or from an EU data collector or processor would have to agree by contract to having binding corporate rules that provide that data the same level of protection that it would be afforded if it was resident in the EU, and would agree to an effective enforcement mechanism in case it did not.

The second workaround was what was called “Privacy Shield,” an agreement between the U.S. government and the EU whereby U.S. companies would sign on to the Privacy Shield Framework (essentially a uniform privacy agreement) and would be provided “safe harbor” and be permitted to engage in transborder data flows from the EU.

The Schrems II decision invalidated the Privacy Shield framework and cast doubt on the continued adequacy of (but did not eliminate) the standard clauses. This was because the U.S. national surveillance policies—which give the NSA and other agencies the ability to collect any and all of the data on EU citizens without any specified need—effectively undermine the concept of “privacy” and are inconsistent with the principle that the data should be protected. The EU court specifically notes that mass surveillance programs like those established under Section 702 of the FISA (PRISM, UPSTREAM and programs established under PPD-28) lack sufficient controls and oversight to protect the privacy of EU citizens. “It is thus apparent that Section 702 of the FISA does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-U.S. persons potentially targeted by those programmes,” the EU court stated.

So Privacy Shield is dead, and the hundreds of U.S. companies that signed on to it in the hopes that it would enhance their ability to engage in transborder data collection and processing are out of luck. But at least the Standard Contract Clauses are still alive, right?

Maybe.

The EU decision did not invalidate SCC’s and companies that wish to collect data on EU residents (and companies that have collected such data and want to share it with U.S. entities, affiliates, subsidiaries, etc.) need to ensure that they have such SCC’s in place immediately. But it may not be enough. The EU court also observed that “it may prove necessary to supplement the guarantees contained in those standard data protection clauses.” The court recognized that it “may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures by the [data] controller in order to ensure compliance with that [reasonable] level of protection.” The court noted that it would consider the adequacy of SCC’s as applied in individual countries and to specific data on a “case-by-case” basis.

The problem is exacerbated not only by inadequate data privacy laws and enforcement in the U.S. but also by issues such as standing and the so-called “third party” doctrine in the U.S. A data subject or a platform may rely on a third party to host, store, process or otherwise manage or maintain data. That third party should, under GDPR, be required to enter into a data protection and privacy agreement using standard contract clauses. However, if the government gets a subpoena or search warrant (or FISA order or other compelled process) and serves that on the third party, the personal data is then shared with the government without the knowledge or consent of the data subject or the company that entered into the agreement with the third party. In fact, the company that collected the data, and the data subject may lack standing or the ability to object to its production. The EU court recognized that “standard” contract clauses may prove to be inadequate in some countries—and sotto voce, with the United States in particular.

Data Privacy Best Recommendations

For now, any company that wants to do business with EU companies, citizens or residents which involves the collection, storage or processing of personal data, or which collects such data and wants to either share or process it, or even transport it to the U.S. should, at a minimum, ensure that every single entity that touches that data has executed a binding agreement that incorporates the standard clause protections. But, depending on the nature of the data and the nature of the relationship, you may want to go further and give the EU resident or data collector greater visibility and ability to object than provided in the standard clauses. This may include things such as notice of subpoenas and warrants, or so-called “warrant canaries” to protect EU citizens’ privacy when data is resident in the U.S. All told, the Schrems decision reflects the EU unease at U.S. government data collection and data surveillance policies, coupled with the weakness of U.S. privacy law and the weakness of enforcement mechanisms in the U.S. It may result in the U.S. having to create more enforceable and broad-based national data privacy laws, or it may result in data balkanization, wherein the data doesn’t move out of the U.S. At the end of the day, it’s all a negotiation.

Recent Articles By Author
Avatar photo More from Mark Rasch
Mark Rasch
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark

Secure Guardrails