We’ve been monitoring how to interpret the judgment by the Court of Justice of the European Union (CJEU) in the far reaching Schrems II case which revamped the rules for global data privacy. In our recent webcast, Life After Privacy Shield: The Present and Future of Cross-Border Data Transfer, Chris O’Connor, Director of eDiscovery Strategy at CDS, interviewed Jonathan Armstrong, Partner at Cordery. Here’s Part 1 of the recap of their discussion of how data privacy enforcement has since played out.
Privacy Shield: Gone, but not forgotten
Some people have remained in Privacy Shield. For some businesses, they think that there’s some marketing value with remaining in Privacy Shield. But we know that that’s a difficult decision for many organizations to make. They’ll have to balance the perceived marketing benefit against the possible downsides of annual audit’s remaining in the scheme, paying the annual fee arbitrations, etc. For many, I think, the potential upside, which is virtually nil, will not outweigh that downside. But businesses are going to have to go through their own decision-making, deciding whether Privacy Shield is still for them.
Data privacy will be protected no longer with a shield, but now with a sword.
But it seems that this is also a clear demarcation in the sand for privacy when it comes to European data — that privacy will be protected no longer with a shield, but now with a sword. It’s become an aggressive tool set now to protect data, for European citizens, which is their right. But how do we see this impacting the day-to-day transfer of information required for business to be conducted globally?
Well, I think it’s always been the case that there has been some militarization of data protection, and subject access rights. So, just to give you one example, I mean, way back, let’s say 15 years ago, I was asked to give a second opinion on a strategy to do an investigation in the UK by a U.S. pharmaceutical business. Two senior executives were under investigation. And the U.S. HQ’s preferred way was, of course, to suck all the data across to the U.S., and analyze it there.
I said to them, “I think the better way. . . ” They only needed two investigators, it seemed. Bring the two investigators to the EU. We arranged secondments around that work. They were here a short space of time. And the other requirement I had was that they ate out all the time – breakfast, lunch, and dinner. And we then got objections from the two subjects of the investigation, to that data having been transferred to the U.S. And the investigation had to halt, and was unlawful because that data had gone to the U.S.
And I said, “How can you prove that that data has gone to the U.S? Two investigators working on the investigation came over to the UK and were physically present whilst they did the investigation. And I have 23 pieces of proof from independent witnesses, not associated with me, not associated with the corporation who can prove that. And of course, these were the olden days when you had to sign for your checks at restaurants. But we could use that proof to prove that data transfer hadn’t taken place.
So, we’re still seeing that, particularly with the pandemic, as organizations try and lose headcount, as investigations are more prominent and particularly, as GDPR is more prominent in places like Dublin. We’ve had adverts on the sides of buses that went around Dublin in 2018 telling people what their rights were. So, this education campaign we’re seeing across our desks now, as more and more people are using their data privacy rights, especially, when they’ve been up to bad things.
So, the U.S. law has procedurally, and perceptually sometimes ignored or not considered, how businesses in Europe need to operate, including the ways that protect European citizens, privacy being amongst the most significant of them. So, FCPA comes out, the Foreign Corrupt Practices Act, preventing organizations from paying for access. That’s the shortest version of it. How has privacy in return been utilized not only to a further backstop of European privacy rights, but also how has Europe taken the approach to utilize privacy as a way to stand up to hegemony and say, “Listen, we have a stake in this also. And what are we going to do to protect our own citizenry? But also, how are we going to be able to continue to do business?” How has this perception of extraterritoriality of the U.S. courts impacted business in the European Union and the UK? Also, what are the features do you feel like there is some accommodation to be made?
A lot of people say data is the new oil. And I don’t think that’s true in many respects. One being that there is no OPEC. There is no common framework of agreeing on things like production, and who owns what. And we’re increasingly seeing data used as a political weapon, if you like, or data being used for political purposes. And we’ve had that in Europe for many years now, famously, the French Blocking Statute, which hasn’t been used much, but is there to discourage the U.S. authorities in part from having that long arm into French businesses.
Now, in some respect, some of these concerns have reduced slightly as countries in the EU toughen up their own enforcement. In France, for example, attitudes have changed in regard to data and investigations, particularly, in the areas of whistleblowers, which were in some respects an anathema to the French because of World War II, in particular, but now I think are an integral part of corporate governance that the French authorities would expect corporations to adapt.
It’s been easier for large, global corporations to comply with GDPR.
There’s been this theory from some at the European Commission, historically, that the next Facebook was sitting somewhere in France, or outside of Milan and Italy and it had been stopped from becoming the next Facebook because the incumbent Facebook was pushing it down and restricting competition. And there was a theory that if we use GDPR, in part, as a tool to harm the operations of large U.S. multinationals, then that vacuum would be filled by a data unicorn from the EDU.
Now, I’m not sure I ever bought into that theory, but in any event that not what’s happened in practice. There are studies which say that large corporations, guess what? Large U.S. corporations, in particular, are more able to comply with GDPR, because they have the advertising revenue that funds that compliance effort. And smaller businesses who might be involved in eDiscovery or law firms, etc., have a disproportionate burden because of the complexities of transferring data.
The politicization of data has had a cascading effect.
But I think we still have this politicization of data. You need only look at Russian data sovereignty laws, for example, China notoriously, but also the U.S. as well. Trump’s objections to TikTok in part around adequacy of legislation, et cetera, somehow mirror the ECJ’s criticism of the U.S. So, it’s interesting the ways in which politicians of all hues almost cut and paste arguments and use them against other jurisdictions. So, I think for multinational corporations, then there are complexities. And I think as you’ve suggested, there is a particular issue with EU/UK transfers to the U.S. But in some respects, that’s commercial rather than political. The U.S. should not be treated less favorably than China or Russia, for example, in terms of data transfer. So, I think for many organizations, it’s important to understand not only the law, but also the political aspects as well. Because they are increasingly playing more of a role in some of the legislation that we’re seeing.
You raise China and Russia. It makes it seem based on Trump’s claims, that it might be easier to move data to China from the European Union than it would be to move it to the United States. No one is suggesting that the Chinese from a national security standpoint are less interested in tapping their own lines into the country than the National Security Agency (NSA) is here in the United States. Where is Europe on that?
Yeah, I think this whole thing is problematic because of Schrems II. The most recent Schrems ruling obviously struck down Privacy Shield, but it also placed severe limitations on standard contractual clauses. And effectively, what it said is that to transfer data out of the EU, you’ve got to do double due diligence. You’ve got to look at who you are providing information to and where they are based. So, if that’s a Chinese entity, you’ve got to look at who they are, maybe they’re state controlled, maybe they’re not.
And you’ve got to look at the laws that exist in China. In the U.S., do your due diligence into the corporation. Have they got a track record of data breaches? Will they secure the data? Will they enter an adequate agreement? And then look at the law in that particular U.S. state. And by the way, we’re going to get a new set of standard contractual clauses. They might only be a week or 10 days away. That might be a new agreement out for consultation rather than a hard draft. But the model I think is going to be the same. And that due diligence test is going to be the same. But the difficulty, I think, that most organizations get with that second test, that it’s hard to know of any jurisdiction that adequately protects citizens’ data versus the security services.
We’ve had an interesting speech, I think, by Professor Joe Cannataci. He’s a Maltese professor. He’s the UN Special Rapporteur on data. And he said that there is no golden standard of oversight of surveillance. And I was speaking to French lawyers, yesterday, for example, who were saying, “There is less protection in French law than in UK law.” And so, whenever we look at these adequacy decisions, and we’re going to include the UK in that, the way the current government’s going, then it all gets puzzling.
We know that adequacy doesn’t mean the same thing everywhere. It’s adequacy, not equivalence. But what is this test? Particularly, what is the test on surveillance? So, in some respects, I think it might be easier to transfer data to the U.S. than China, but that will depend on the protections that you can agree on. It’ll depend on things like encryption. And of course, encryption tools are easier to put in place with the U.S. than they might be in China. But what it means, I think, is that there are no hard and fast rules. And there’s going to be more compliance effort in looking at every single data transfer.
You brought up encryption. So, under the Patriot Act of 2002, the United States government has all the keys to the encryption codes. So, how does that work? If the NSA’s access to the line, as it comes into continental United States, presents a problem for the European Union when it comes to data privacy, is that something that we have to wait and see how it shakes out legally?
Well, I think the difficulty of any decision like ECJ’s decision is it’s not there to say what is allowed, it’s there to say what isn’t. So, we’ve got a long track record in our country, and in yours, of not issuing guidance except in very limited circumstances. So, the difficulty is that we can say what isn’t permitted easier than we can say what is.
I can’t tell you that detailed evidence was given to the ECJ on the reach of the NSA amongst others. Obviously, we had the Snowden allegations as well, which were, I think, a heavy part of the court’s reasoning in all of the Schrems’ cases. And we had experts seek to persuade the court unsuccessfully that the U.S. did have adequate protection for data. So, anyone who’s transferring data to the U.S. I think needs to look hard at the meat of the ECJ decision. There could be some possibilities, things like encryption, ombudsman, things like building in extra oversight by contract. They’re not going to work in many cases. They could work in some.