In the slow moving world of regulatory plate tectonics, there have been a series of remarkable shifts. Our EMEA Associate and roving expert on all things to do with privacy, cybersecurity and digital ethics explains all in a series of articles for Elnion.
- Part 1: Narrowing the Atlantic Gap: the EU and US are drifting together. An Executive Order signed this week promises to narrow the transatlantic regulatory gap. But will this be enough?
- Part 2: Britain Adrift (again): meanwhile the UK’s post Brexit relationship with the EU is being tested as it proposed to rip up red tape, water down GDPR and cooperate more with the US. As English Channel widens and the UK drifts towards the US, will this leave the EU out of reach?
- Part 3: Crossing the Divide: where are we headed and how can the data sharing and data protection conundrum be resolved to (almost) everyone’s satisfaction?
Recently we celebrated the 4th anniversary of GDPR. It has become the gold standard for privacy regulation and has been emulated in numerous other regulations like CCPA in California, POPI in South Africa, and LGPD in Brazil. However a few major concerns have persisted. Firstly, there has been a massive gulf between regulations in the EU where privacy is seen as a human right, and the situation in the US where not only is there is no federal privacy regulation, but the priority is also seen as mass surveillance for national security. And secondly there has been a lack of GDPR enforcement, especially again tech giants like Facebook and Google.
Two consecutive transatlantic data sharing treaties, Safe Harbor and Privacy Shield, have been struck down, essentially for the same reason. With each treaty both sides promise to protect the privacy of personal data as it is shared in either direction. This is easy for the Europeans who are committed to abide by GDPR anyway and as little data in effect travels in its direction. Unfortunately it is almost impossible for Americans to abide by as they are also required to abide by a set of intrusive extraterritorial US laws that incompatible with GDPR.
The Clarifying Lawful Overseas Use of Data (CLOUD) Act, Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12.333 are all incompatible with GDPR. Any “electronic communication service provider” that operates in the US can be served a secret FISA warrant that will oblige it to provide the US intelligence services with data that it hold anywhere in the world. The extraterritorial nature of such regulations makes any data residency promise that US tech firms make to keep data in the EU meaningless, while the secret nature of the warrants means that tech firms cannot let people know if or when their data is seized making it impossible for them to challenge seizure or seek redress.
Things came to a head twice when privacy activist Max Schrems challenged Facebook’s data use in Europe’s highest courts – overturning each of the transatlantic data sharing treaties in the process.
The Enforcement Problem
When Schrem’s challenge against Facebook was upheld against Facebook in July 2020 action should have been taken immediately. No new laws were required. It had been proven that Facebook had broken existing law, namely GDPR, so enforcement action to prevent it doing this, if necessary by withdrawing permission for it to process data in the EU (and effectively cease operation) in the EU should have been immediate.
Responsibility for enforcement fell to the Irish Data Protection Commission (DPC), the lead regulator for a number the big tech firms, including Facebook, that have chosen to base their European headquarters in Ireland on account of its attractive tax regime. Having gone to so much trouble to attract these giants, the Irish were loathed to alienate them (the ruling was against Facebook, but could just as easily be applied to the rest as well).
Even a vote in the European Parliament of 541 votes 1 one to sanction the Irish DPC for its inaction, failed to stir it into action. Finally in early 2022 (almost two years after the ruling) a Judicial Review over the delays dismissed its claim that four years was a reasonable timeframe in which to produce a draft decision is reasonable. The Irish DPC was forced to pay tens of thousands in costs and told that the law required a decision within 3 to 12 months. So under increasing pressure from all the other Data Protection Authorities (DPAs) across Europe as well, the Irish DPC filed its a provisional report. The other DPAs had a month to challenge it or provide feedback and all of their input is now all being incorporated into a final decision that they should all be able to agree on.
In a few months we expect the final report to appear and for it to recommend that Facebook have permission to process data in the EU withdrawn, effectively a total ban in the EU. Speculation on whether this will indeed be the outcome or whether Facebook will be give some leeway – either 6 or 12 months to get its act together – continues. It has already had four years since the introduction of GDPR and two since the ruling against it to get its act together after all.
Operating in Limbo
The SchremsII ruling against Facebook in July 2020 had massive implications. It not only overturned Privacy Shield, a framework that many organisations had been using as a basis for sharing data across the Atlantic, but it also massively restricted the use of Standard Contractual Clauses (SCCs) the most common alternative.
In effect anyone wanting to share personal data of EU citizens with any American tech firm needed to apply supplementary measures. This might include either effective anonymisation (not easy to achieve) or strong encryption (which would need to be applied both in transit and at rest with the encryption keys withheld from the tech firm in question).
These requirements apply not only to Facebook, but to all organisations that are either “electronic communication service provider” with operations in the US themselves or that use such organisations to process or store their data. In effect this means that every time you share personal information with a US cloud firm, social media firm, SaaS operator or telco whether the data is held in America or by their subsidiaries in Europe this counts as a transatlantic data transfer for which supplementary measures are required. Even if the tech firm provides a data residency guarantee and the data never leaves the EU, it still falls under the reach of the NSA and so needs supplementary protection.
Like rabbits in the headlights, few organisations have taken the necessary steps either to use a local technology services provider that is beyond the reach or American law or to encrypt all their data while holding on the the encryption keys. And thus the Irish DPC’s inaction on enforcement has created the ridiculous situation where uncertainty has led to the vast majority of organisations not adopting supplementary measures and therefore not complying with GDPR.
Salvation (or maybe not)
Six months ago the US President Joe Biden and European Commission President Ursula von der Leyen announced an “agreement in principle” on a new EU-US data transfer framework – quickly nicknamed Privacy Shield II. And this week, six months after the announcement, Biden finally signed an Executive Order (EO) to this effect.
There are elements of the EO that are really positive. Given the importance of transatlantic trade, anything that helps resolve the issues is to be applauded.
To counter concerns about indiscriminate mass surveillance, the EO ….
- “Adds further safeguards for US signals intelligence activities, including requiring that such activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.”
To counter concerns about a lack of oversight, the EO ….
- “Mandates handling requirements for personal information collected through signals intelligence activities and extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance.”
To ensure that intelligence agencies adopt these policies, the EO ….
- “Requires US Intelligence Community elements to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the E.O.”
To address concerns about the absence of any real means of seeking redress, the EO ….
- “Creates a multi-layer mechanism for individuals from qualifying states and regional economic integration organizations, as designated pursuant to the E.O., to obtain independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the E.O.”
To address call for independent judicial supervision, the EO introduces a two step procedure, with the first step being review by an officer under the Director of National Intelligence and a second step being referral to a new Data Protection Review Court (DPRC). In addition, the EO ….
- “Calls on the Privacy and Civil Liberties Oversight Board to review Intelligence Community policies and procedures to ensure that they are consistent with the Executive Order and to conduct an annual review of the redress process, including to review whether the Intelligence Community has fully complied with determinations made by the CLPO and the DPRC.”
While all of this could be described as real progress and possibly as much progress as could be expected given the constraints of the current gridlock in Congress, it doesn’t really go far enough.
The SchremsII ruling that overturned Privacy Shield was fairly damning. In order to overcome this, most experts believe that more will be required than just this EO. The main problems that still exist are as follows:
Law versus Order: An Executive Order is just an internal directive that can be overturned on the whim of any subsequent President. While the current POTUS may well support these measures there is a real risk that he could lose office in two years time and be replaced by Trump who previously signed an executive order in his very first week in the White House that limited data protection for European citizens. What is required is a solid set of commitments that are enshrined in US law.
The lack of any federal privacy regulations has forced a number of states, such as California, to introduce their own. However, renewed efforts to harmonise regulations at a federal level have seen The Data Privacy and Protection Act being put before the House of Representatives on June 21. There is however little agreement yet on the proposal in either the House and or Senate and Speaker Nancy Pelosi has already said she does not support the bill in its current form. It is therefore far from certain that the proposals will pass into law, and even more unlikely that additional provisions could added to incorporate the EO or allay the concerns of the Europeans.
Semantics of Proportionality: while previously the US had maintained that surveillance targeting was “as tailored as feasible“, the EO adopts the EU terminology of “necessary” and “proportionate“. Unfortunately, what the US means by “proportionate” is not at all what the EU mean by the same term. And while the European Commission may be interested in turning a blind eye on US law and continued spying on Europeans, in the interests of expedience, it is likely to be the CJEU’s definition of “proportionate” that will prevail – likely killing any joint framework yet again.
Court in Name Only: likewise efforts by the US to represent the DPRC as a court by naming it as such are unlikely to satisfy Europeans who will want the court to be a truly independent judicial entity rather than just a beefed up version of the previously discredited “Ombudsperson“.
These, and a number of other more minor concerns, are unlikely to go away.
Slap in the Facebook
All this is likely to come to a head quite soon. When the Irish DPC publishes its final report on the SchremsII ruling and the sanctions to be applied on Facebook/Meta, the tech giant will inevitably challenge the decision citing the fact that the EO means that the ground has changed under our feet and that the problem has been resolved.
If the Irish DPC agrees with Facebook that the EO has in effect resolved all the concerns outlined in the SchremsII ruling then Max Schrems, NOYB and others will challenge this in the courts, but if the DPC does not agree with Facebook then the social media giant will bring a challenge in court instead. So it appears that we will be heading back to court either way.