Thought Leadership and Industry Trends
Life After Privacy Shield Part 3: The Global Impact of EU Data Privacy Standards on National Surveillance Practices and Global Trade Relations
In our recent webcast, Life After Privacy Shield: The Present and Future of Cross-Border Data Transfer, Chris O’Connor, Director of eDiscovery Strategy at CDS, interviewed Jonathan Armstrong, Partner at Cordery. Here’s Part 3 of the recap of their discussion on the geopolitical implications of the EU’s revamped data privacy standards.
What’s going on with Brexit?
So, I’d like to transition a little bit from the European Union to the EU and Britain, where are we headed? What’s going to happen with Brexit? Last time we talked, earlier this year, we had a little bit of fun as to what was going on. There was a lot of trading of outlandish ideas. It’s been a little quiet lately. Things have been at a standstill. So, the Union is saying, “This is our deal. This is the best you’re going to get. What are you going to do?”
Britain has sent a couple of initial proposals. Where are we headed? What’s going to happen as we get towards the end of this year? Do you see another postponement? Do you see a delay as somebody says on New Year’s Eve, “Listen, no one wants us to go crazy. We’ll extend until February 1st, or we’ll go to March.” Or are we really going to see Britain walk away, and just be out of the Union?
I think it’s a really tough one to call, to be honest, Chris. If you forced me to get off the fence and be non-loyally, I think most likely, it will be something a little bit like a corporate deal. A lot of corporate deals get done at 3:00 AM when they should have completed at midnight. And everyone agrees on a small extension. And then, people are too tired, and they sign up to a deal that’s good enough. Then when they wake up in the morning, they regret it. And they wish they hadn’t given on reps, and warranties or whatever. I think there will be some deal done like that. And it might even be almost like an agreement to agree, and the bare-bones of a deal with detail to be filled in.
And regrettably, I think both parties will regret it. I think from an objective perspective, there are barriers to data transfer adequacy decisions for the UK and those decisions take some time to come. But I don’t, in all honesty, think that the UK is less adequate than Japan, is less adequate than China. We’ve had two large fines, recently, against Marriott and BA. Of course, they’re heavily reduced, but they’re still big fines. You could put them against almost any privacy regulator across the EU.
Only Germany, France and Italy, perhaps, have had cases where the total amount of fine has been greater. And in the Google case in France, in H&M in Germany, and Telecom Italia Mobile, in Italy, they’re probably more egregious cases than the BA case was. So, if we’re looking at toughness of privacy enforcers, then the UK probably gets a check in that box. The intelligence services and the powers that they have is obviously a worry. But I think I go back again to what the UN Special Rapporteur said, that there isn’t a gold standard of oversight of surveillance. And the UK is in many respects is open about its covert activity. If that doesn’t sound contradictory.
I do think that in the United States, one question left hanging from this most recent decision against Facebook was “what am I supposed to do as a business”? Businesses have zero control over what a national intelligence service does when they tap a line entering into a country. There is no ability to block them. How would organizations even know?
You make a good point that SIS in UK, and NSA have made their access to that information somewhat public knowledge. What they do with that information, of course, remains covert. But those aspects are challenging as you get into states which share less information. There are governments in the global marketplace, that are regular powerful players who are not share the details.
Is it likely that the UK faces a challenge out of spitefulness from the EU? Or is it less likely vs. Russia or China who would face more difficult challenges?
Yes, I think that’s a great point. And I think that there are some at a European level who are being somewhat spiteful. I have had–those who follow me on social media might have seen–let’s just say an exchange of views with MEP in the last few weeks, who I broadly agree with on many things, but he characterized the BA case as something that the privacy law in the UK was engineered by the EU. And that’s just, frankly, nonsense.
UK legislation was first introduced in 1984. That was well before the directive came in. The directive that was if you like the predecessor of GDPR. And the UK in common with many other countries, Portugal, Spain, has had privacy laws even in some cases before their membership of the EU. But I think that illustrates the political issue in some respect. That there are some who believe that the UK should be punished for the way in which its government has behaved. And I think that causes a consternation in part because many of us in the UK did not agree with our government’s position. And in some respects, in a democracy, we ought to respect that, and we ought to be fair and impartial. And we shouldn’t let one politician’s hatred of another lead to sanctions against the country.
Like it or not, data privacy is part of a wider trade discussion.
I feel like this is not supposed to be a market discussion. This should be in a privacy discussion. And when you bring in that other aspect, you’re making it a market discussion. You’re trying to find a better economic deal when privacy is your lever. Since the UK has been a leader in data privacy for a while, unless you plan on changing the laws in January – is that something that’s happening by the way? If it’s not, I could see this not being as much of a to-do. But since the ECJ’s ruling, I thought it worth bringing up.
Privacy laws are coming online now. How much will the UK and the EU take into account the existence of privacy laws? Regardless of what they say of a federalized, national privacy situation when dealing with countries, economically, will they be seen in a better light if they have such laws in place, whether or not they are on par with GDPR?
Yes, I think these things are definitely linked. And I’ve been a critic of parts of GDPR. But what I won’t deny is that GDPR has forced countries both within and outside the EU to improve their own privacy legislation. And in part, that’s been the case in countries like Japan and South Korea, wanting to get an adequacy decision from the EU, and committing to make that law similar to GDPR as a result. And of course, Japan has had a privacy law, previously, but it’s increasing things like the penalties, as of December. And it’s toughening up its regulatory regime.
So, I think, for countries like Japan, for example, you’re seeing data privacy as part of a wider trade discussion. And I don’t think it’s a coincidence that the adequacy decisions on data were running almost in parallel to trade deal discussions with the EU. But I think what you’re going to see in countries like Japan going forward are obviously more focused on adequacy. And as I’ve said before, adequacy doesn’t mean equivalence. There are various allegations that have been made about the operations of surveillance services in Japan as well.
Obviously, Edward Snowden, I believe was employed on Japanese soil, whilst an NSA contractor, for a time. And there are criticisms of systems like Xkeyscore in Japan. And as I said, the fines are only just going up in December. And even then, they’re only going up to about $800,000 range.
But I think for countries like Japan, we’re going to see more annual reviews post-Schrems. We theoretically had that with the Privacy Shield deal. First of all, I don’t think the commission understood that annual review meant every 12 months, so they weren’t as regular as they should have been. And I think that we’re going to see more robustness of annual reviews as part of the response to the whole movement. We’re going to see greater scrutiny of security services and greater scrutiny of the laws in some jurisdictions. So, if we’re dealing with investigations or eDiscovery, there’s going to be more of a burden on us, I think, to reach out to local law firms and take an opinion on how the law in their jurisdiction works.
But I think we’re also going to see more pressure group activity. We’re going to see more class actions. This is a hotbed of litigation. For those of us who still have kids at college, that’s not exactly a bad thing. But I think for businesses, doing business across the world will become harder still.
About the Author
Jonathan Armstrong, Partner, Cordery Legal Compliance
Qualified as a lawyer in the UK in 1991, Jonathan has focused on technology, risk and governance matters for more than 20 years. His practice includes advising multinational companies on matters involving risk, compliance and technology across Europe. He has handled legal matters in more than 60 countries involving emerging technology, corporate governance, ethics code implementation, reputation, internal investigations, marketing, branding and global privacy policies. Jonathan is recognized as one of the most influential figures in risk, data security, and compliance in the UK and internationally. For more, visit the Cordery website.