Just over a week ago, the world of data protection was faced with the somewhat surprising decision from the Court of Justice of the European Union (CJEU) that the Privacy Shield was deemed to be invalid.
Privacy Shield was brought in to replace the also-invalidated Safe Harbor in 2015, however privacy campaigner Max Schrems brought a case against Facebook after he discovered that his personal data was transferred by Facebook Ireland to servers located in the United States, where it undergoes processing. He claimed that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to that country, leading to his complaint that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to that country. This ultimately led to the decision on July 16 that Privacy Shield was deemed to be invalid.
We’ve heard what data protection specialists in Europe have said about this decision, but what about the view from the other side of the Atlantic? Dominique Shelton Leipzig is co-chair of Perkins Coie’s Ad Tech Privacy and Data Management Practice. Speaking to Infosecurity, she said she was not that surprised by the announcement, and she felt a sense of deja-vu about it.
“It seemed to me that after all the efforts that have been put forward about how US law puts forward a lot of protections for EU residents, it was not able to persuade the CJEU,” she said. However, it was not all negative, as she argued that there were some new opportunities, particularly in reliance on standard contractual clauses (SCCs).
“There has been some doubt cast on SCCs for the same reason that Privacy Shield is no longer an adequacy means, so what this seems to mean is the CJEU is most concerned with the lack of and purpose of a scope limitation with respect to the enforceable rights that EU residents have, the ability to have a judicial remedy and the ability to have some sense of what might be the focus of a foreign intelligence investigation,” she said.
Shelton Leipzig added that, following conversations with European colleagues, hearing from Max Schrems and looking at the toolkit provided by noyb.eu on what should be asked of data importers, she sees a “roadmap for where companies can start looking at this decision.”
In particular, she cited FISA section 702, which permits the monitoring of non-US citizens, and Executive Order 12333, which was signed by President Reagan in 1981 to extend the capabilities of intelligence: 702 relates to electronics service provider and 12333 to controllers of internet framework. She said that not all companies will fall under the jurisdiction of those requirements, and it was worth organizations doing a risk assessment to determine if they could be subject to either. “So if you’re looking at two controllers that never receive an intelligence request from the US, that is a safeguard that could be made clear in SCCs.”
What did she feel was the overall US response to the decision on Privacy Shield? She admitted that there was some disappointment, evidenced by US Secretary of Commerce Wilbur Ross who said he was “deeply disappointed” by the decision. Looking forward, she agreed that there has to be a political solution to this.
“There is concern on behalf of the 5000+ members of Privacy Shield, and there is uncertainty as to whether their data transfers will be subject to supervisory authority in the EU,” she said. “Looking into those transfers and potentially holding up data, that prospect is very scary. The other prospect that is equally scary is if they are relying on SCCs, that they will be overly scrutinized for things that the average commercial company cannot control.”
“Looking into those transfers and potentially holding up data, that prospect is very scary”
However, as we are now almost two weeks on from the decision and learning to live with the way things are going to be, Shelton Leipzig said companies should look at their SCCs and decide which additional safeguards are needed, and how to deal with national security requests.
She said as many companies are taking steps already to determine acceptable levels of assurance, “companies are looking at that as a short-term fix.” She also said longer-lasting political measures are being made, specifically to avoid “tumult in market and upheavals in the commercial sphere, if possible.”
With regards to Executive Order 12333, which permits the filtering of data before it reaches US recipients, she explained that there will be efforts to ensure ways of working within its parameters. “We think there is room there for the order to be amended without giving away national security,” she said.
Shelton Leipzig reiterated that the CJEU decision does leave a clear roadmap that businesses can use to influence the policy decision, and focus policy on the critical factors that the CJEU has put parameters around. “The good news is the CJEU said it is just concerned in knowing when a national security situation arises under 702 or 12333, when judicial remedies will be available to EU residents and how can we have some sense of when an investigation might occur, and what type of areas are at issue.”
In the US, she cited Wilbur Ross as continuing to accept applications for Privacy Shield to administer the program, and for many US companies “they still have Privacy Shield obligations.”
Asked if she felt there would be a grace period for businesses to comply with a removed Privacy Shield, she said she was hopeful of one but until the statement comes “US companies and US importers of data absolutely must turn to their SCCs.”
She recommended SCCs be updated by first doing a global transfer impact assessment. This should be the first step, Shelton Leipzig claimed, until we get a grace period for Privacy Shield. Until then, the world can only sit and wait on what the future of international data transfer will look like as uncertainty sits on either side of the world.