The E.U.-U.S. Digital Divide
Privacy Plus+
Privacy, Technology and Perspective
The E.U.-U.S. Digital Divide. This week, Europe’s highest court invalidated the E.U.-U.S. Privacy Shield. You can read more about this Privacy Shield’s unsurprising development everywhere, but the following is a link to an article from the BBC:
https://www.bbc.com/news/technology-53418898
Today, as we bid farewell to the Privacy Shield, we consider the larger issues—why Europeans and Americans see “privacy” so differently, the improbable existence of “privacy islands” in a digital world that doesn’t respect boundaries, and what your company should do now that the Privacy Shield has been struck down.
Western Geopolitics across the Digital Divide
The movement of data across the world presents profound legal issues that are not regulated under any one law. Rather, global companies confront a multitude of laws, regulators and regulatory approaches.
In the United States, many Americans have come to rely on the wide freedoms that our laws confer without due consideration for the attendant responsibilities that we may have. What we choose to think, to say, to believe, to join, to be, and (often) to do is widely protected by the First Amendment, and whatever action the government may start against us must clear the due-process hurdles of, among other things, the Fourth, Fifth, and Fourteenth Amendments. Under our umbrella of the Constitution, Americans often view “privacy” as a focused and limited matter of protecting against certain intrusive, unfair or deceptive practices (peeping toms, disclosure of private facts, false endorsements, etc.) or of establishing certain industry standards (HIPAA, Gramm Leach Bliley, Fair Credit Reporting Act, Children’s Online Protection Act, etc.).
Contrast the United States to the E.U., where Europeans have a very different view of privacy in light of their very different history. Viewed broadly, European fundamental rights and protections are more recent, narrower, and less robust. Government surveillance of whole populations -- and sinister use of the results -- reached their bloody zenith in the Holocaust and the Cold War, well within the living memory of many Europeans. Therefore, at this moment, Europeans tend to be more sensitive to the need for privacy protections over the collection and use of personal data, and their laws reflect that view.
This is largely why since the end of World War II, Europe has looked with ever-darkening suspicion at American business’ ever-burgeoning collection and exploitation of personal data.
To Americans, good data is good business: The more you know about your customers, the more you can sell to them! That is a matter of first principles in American business schools.
But to European eyes, good data is the power to abuse: The more you know about other people, the more vulnerable you make them to you.
How has this developed?
Almost as soon as the guns of WWII cooled, the Europeans recognized privacy as a fundamental human right. They even enshrined the right to privacy expressly in the Charter of Fundamental Rights of the European Union. But the entire post-war history of privacy law is the history of Europe’s effort to get Americans to take privacy more seriously.
The E.U. deems the U.S. as having insufficient legal safeguards to protect European personal data properly. As result, trans-Atlantic data flows are inhibited absent some mechanism to facilitate the transfer of European personal data to the U.S. by ensuring an adequate protection for that data.
American companies have grudgingly drug along, some using first the “Safe Harbor” principles, which permitted export of European personal data so long as the importing company self-certified that they adhered to those principles. In the Schrems I decision, however, the European Court of Justice struck down the Safe Harbor after a customer (Mr. Schrems) complained that his Facebook data was insufficiently protected.
Safe Harbor was soon followed by the “E.U.-U.S. Privacy Shield,” which allowed data export to companies who self-certified that they would provide even further protections. Mr. Schrems brought a second action to disallow the Privacy Shield also, asserting that its protections weren’t adequate by European standards, either.
Over the many years while Schrems II was pending, two things happened. Big Tech companies exponentially increased their collection and exploitation of personal information, including in Europe. Meanwhile, the U.S. Government continued its foreign “signals intelligence” activities, surveilling all over the world to protect against threats from abroad, including monitoring communications from every imaginable source (including tapping undersea cables as the U.S. Navy had begun doing during the Cold War).
From the American perspective, neither of these was a problem. Big Tech was not acting as a state actor in a constitutional sense, and the U.S. Government’s foreign intelligence-gathering didn’t offend the Constitution because the Bill of Rights doesn’t apply to protect foreign nationals anyway.
But then Edward Snowden, an analyst with at least a top-secret clearance, revealed to the world just how extensive the U.S. Government “signals intelligence” surveillance was – up to and including Angela Merkel’s cell phone and the tapping of those undersea cables.
The European response was swift. Europe codified its 28 separate privacy schemes into one General Data Protection Regulation (“GDPR”), rocketing up the power of individual Europeans to control data about themselves and limiting the rights of businesses to collect and use it. Among much else, the GDPR limits export of data to (i) companies which agree among themselves to abide by GDPR requirements (the “Standard Contractual Clauses”) or (ii) who are located in countries which provide, in the Europeans’ view, “adequate [privacy] protections” to protect it. The Privacy Shield offered a (iii) third way for American companies lawfully to obtain European personal data. (A fourth way, negotiating specific agreements called “Binding Corporate Rules,” is surprisingly impractical because it would require specific approval from data-protection authorities in Europe. That would take too long and essentially cover the Standard Contractual Clauses anyway.)
Pointedly, in the European view, number (ii) has never been a possibility for companies in the U.S. To European eyes, the United States has never, does not now, and has a long way to go before it will ever provide “adequate [privacy] protections” for Europeans’ personal data.
What does Schrems II mean?
Schrems II invalidates the Privacy Shield regime, thus removing number (iii) of the lawful bases for exporting European personal data to the U.S. – the Privacy Shield has been struck down.
Will there be a successor to the Privacy Shield?
Maybe. We can perhaps hope that the third time will be the charm. Or perhaps, those of us who really believe in privacy can all hope for a more comprehensive regulation—one that aligns the United States with the EU so that the U.S. is deemed to offer “adequate” data protection.
It won’t be easy. Stripped of myriad details, one of Europe’s problems with Privacy Shield – beside and apart from American companies’ cavalier disregard of many of its provisions and generally profligate approach to collecting and exploiting European personal data – seems to have been that it didn’t account for the U.S. Government’s “signals intelligence” programs, which give the U.S. Government the ability to eavesdrop on virtually anything. Big Tech aside, National Security Agency antennae, Defense Intelligence Agency analysts, CIA people, and U.S. Navy submarines are still as clever and industrious as ever -- all acting in the interest of U.S. national security, an interest which isn’t likely to abate, to bow, or even to play nicely with the marketing guys in Customer Relations Management.
Meanwhile, unless and until a successor to the invalidated “Safe Harbor” and “Privacy Shield” is negotiated, agreed, and survives (Mr. Schrems’ next?) judicial challenge, the only thing left is (i), the “Standard Contractual Clauses” -- and even then, in “inadequate protection” countries like the U.S., only if the companies provide their own “additional safeguards” (which sounds like it may involve permitting private rights of action to individuals).
What does this mean for your company?
In the short run, we believe your organization should:
1. Think through the personal data you need and want to receive from Europe. It may not be as much as you think. Leave everything you can in Europe.
2. Look at your agreements with your cloud providers. Microsoft has been following the Schrems II case and preparing for this. You can find the statement of its privacy official Julie Brill by clicking the link below:
https://blogs.microsoft.com/eupolicy/2020/07/16/assuring-customers-about-cross-border-data-flows/
We expect AWS to behave similarly.
3. Study the Standard Contractual Clauses and whether you need to enter into them, certainly with your European affiliates but possibly with important counter-parties there. (Note that “Standard” means the wording is pre-approved by data-protection authorities in Europe, so cannot be changed or negotiated between the parties.)
You can see the Standard Contractual Clauses by clicking the link below:
4. Monitor this issue for further guidance on what else U.S. companies (even with Standard Contractual Clauses) need to do to provide Euro-centric “adequate protections” here in the U.S.
A Final Thought
Should Europe’s history prod us to challenge our own comprehensive surveillance systems?
We fully appreciate the importance of national security, and will be first to agree that we all owe an unpayable debt to those who defend it.
But consider: Not only are transparency and accountability key components of every robust privacy regime, but they also lie at the heart of every healthy democracy.
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.