This post continues a series of WLC commentaries following the recent Schrems II judgement by the CJEU. The judgement invalidated the Privacy Shield and confirmed the validity of Standard Contractual Clauses (“SCCs”) as a cross-border data transfer mechanism. It however imposed a requirement on the data exporter and the data importer to ensure, on a case-by-case basis, full compliance with a level of protection essentially equivalent to that required by the EU under the GDPR. In addition, where the SCCs are found inadequate after an assessment of the laws of a third country, then what are described as “supplementary measures” are to be provided. If these measures do not address the inadequacies identified, which in the Schrems II judgement focused on concerns with foreign government surveillance for national security and intelligence purposes, the data exporter is obliged to suspend the transfer of data.
What does this mean beyond the US?
Much of the debate since the Schrems II judgement focused on the impact to the EU and the US. This is because a) the invalidation of the Privacy Shield relates only to the US and b) the sheer economic and political significance of the transatlantic relationship. However, if you are not a privacy professional following developments closely, you may be wondering whether the Schrems II judgement impacts your organisation if your organisation, or your processors, are based outside the US. The answer is – most definitely Yes. The judgement talks about “third” countries in relation to SCCs, making this judgement applicable beyond the US. This may have been highlighted less in the past few weeks, but enormous volumes of data are being transferred between the EU and other third countries. China is a good example. The US have many of the world’s biggest tech companies. These are headlined by “GAFAM”, an acronym used to refer to Google, Amazon, Facebook, Apple and Microsoft, but China has emerged as a major player too in recent times. Consider companies like Alibaba, Tencent, Baidu, Huawei and JD.com. But we need to look beyond geos like China. Consider all the large, medium and small companies across the globe, particularly in emerging markets, who are seeking to participate and thrive in the global digital economy. They increasingly deal in personal data that needs to cross borders – irrespective of their size. Many of these companies may now feel uncertain about how to proceed in light of this Schrems II judgement. The same will be true of companies in the European Economic Area (EEA).
SCCs are standard data protection clauses intended to provide appropriate safeguards for international data transfers under Article 46 of the GDPR. They are the most common mechanism to transfer data across borders between the EEA and third countries. This is probably because SCCs have historically been easy to use. This included no need to negotiate terms. The idiom “not worth the paper it’s written on” may come to mind for many privacy professionals. It is arguably similar to the anti-corruption obligations that many companies need to impose on their global business partners. Consider the Foreign Corrupt Practices Act (FCPA) from the US and the applicability to agents. Consider how the SEC and DOJ are increasingly looking to hold companies accountable for ensuring agents or partners representing them actually do more than sign the paperwork. Yes boxes get ticked. Agreements or Codes of Conduct are filed away for annual paper compliance audits. But. You see where I am going with this…
The difficulty for many organisations in the EEA will now be the case by case assessment of the laws of many of the third countries where they are doing business as they seek to confirm “essentially equivalent” compliance with the GDPR. A potential hurdle for third countries, certainly in a region like the Middle East and Africa, is likely to be that the EU, when it considers what it calls interferences to fundamental human rights, like privacy, will have an obvious preference (or bias depending on your perspective and/or location), for countries with so-called European values. Interferences with the right to privacy are generally only permitted in the EU where they are strictly necessary in a “democratic society”. A brief examination of the widely used Freedom House Global Freedom Scores for countries, will give you some indication of the potential complexity facing data exporters when a democratic lens is applied globally.
The Article 29 Data Protection Working Party’s (WP29) four European Essential Guarantees (WP237) created in April 2016 to assess government surveillance and the lawfulness of international data transfers under the GDPR, offers additional insight into government surveillance when transferring personal data – from that EU perspective.
The Guarantees are summarized below for your ease of reference:
Processing should be based on clear, precise and accessible rules;
Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
An independent oversight mechanism should exist;
Effective remedies need to be available to the individual;
Law enforcement access to data
A major focus for the Schrems II case in the US/Facebook context was mass electronic government surveillance under FISA, or the Foreign Intelligence Surveillance Act. Many data exporters in the EEA will likely need to give some thought to how they may approach gaining clarity about electronic government surveillance in the countries to which they are exporting data as part of any future assessment of laws of that third country. This assessment may also need to be extended to include a review of the level of independent judicial oversight and effective legal remedies for ordinary criminal law enforcement investigations, which were less of a focus area in Schrems II judgement.
A global economy
Digital transformation involves the use of technologies like cloud computing, AI and IoT. Many of these technologies (or services) require the transfer of data across national borders to facilitate trade, to aggregate data for analysis and make the services both financially feasible and accessible to everyone. Irrespective of their geography. The EU, as a very large single market, may be able to demand that all data remains in the EU unless GDPR is satisfied, but this could be perceived as protectionist or perhaps short-sighted, depending on your perspective. In emerging markets it is likely that multinationals may start to leave if they cannot create viable local infrastructure in standalone smaller markets.
If we are to embrace the potential of digital transformation to do enormous good and address some of the global inequalities that are currently causing such political and social turmoil (in Europe too), then we need to make every effort to ensure that nobody is left behind. Otherwise the gaps between haves and have-nots will only increase. Cross-border transfers of data are vital to these emerging market regions. Governments on both sides of the equation have important roles to play.
Data residency is not good for the global economy. The World Economic Forum (WEF) has advised that local companies may initially benefit from data residency, but that protecting them from global competition ultimately reduces innovation. Foreign countries begin to reciprocate. Foreign businesses begin to leave. Foreign direct investment reduces. We have seen this movie already.
A regulatory trend over the past few years has been an increasing focus on data localization or data sovereignty. This is often imposed for national security reasons to ensure access to data. Governments are understandably balancing several complex issues, but there are cases where they inaccurately use privacy as a justification for strict data residency. The same misleading argument was made about data security in the past. This has repeatedly been debunked by cybersecurity experts. Cybersecurity is more about enhanced technical controls than enhanced control (read “access”) achieved by location, and often at the expense of access to leading technologies. Local data storage does however give local law enforcement agencies a degree of comfort when it comes to access to personal information. This in turn puts data residency into conflict with the notion of privacy – in certain jurisdictions. In contrast to data residency laws, data protection laws typically seek to protect the data irrespective of its location, provided that adequate safeguards exist.
Data residency is not negative by default. These regulations are all created for different reasons. It depends. They can be broad, or very narrow in scope. However, if data residency is being used primarily to facilitate mass electronic government surveillance and/or law enforcement access, then one can see how this might potentially complicate the assessment process that EEA exporters and their in-country importers will need to undertake on the back of the Schrems II judgement. The resultant reputational risk is obvious. It could make doing business in certain locations increasingly complex, risky and expensive. The question is; what impact might this have on the ease of doing business in many emerging markets?
The Schrems II judgement also pushes the EU legal community into a bit of corner and may weaken the alternative of good data protection over hardcore data residency as a means to protect personal data in certain emerging market regions. We all support the intent behind the case i.e. the goal of protecting and enhancing privacy as a fundamental right, but is the requirement to ensure that a third country offers an “essentially equivalent” level of protection to the GDPR, in a national security context, truly feasible for any country in a region like the Middle East or Africa? Will it simply encourage EEA companies to reduce their economic interactions beyond the EEA because of the sheer complexity of having to understand and manage the regulatory landscape?
And then to play the Devil’s Advocate; which countries currently allow a foreign citizen to challenge the practices of the country’s intelligence services in a court? If you are on the “wrong” side of the fence, one might be tempted to question how many EU member states would pass an examination of this nature. If this argument resonates, first consider that the WP29 expressly stated that the guarantees were “based on what is required by the law and not necessarily on what is the current practice” in the EU. The WP29 added that they were aware of the potential for double standards and had called upon member states “to ensure their surveillance legislation is in line with the jurisprudence of the CJEU and the ECtHR.” It is very much a case of do what I say, not what I do. For now, anyway.
In closing. It is only fair to acknowledge that the EU is seeking to uphold fundamental human rights in an era where individuals are increasingly losing ground to governments across the globe when it comes to privacy. The warning lights have been flashing for some now. It is easy to do these days, but we should also remember that privacy is not just about the EU and GDPR and May 2018. The UN’s Universal Declaration of Human Rights, with Article 12 governing privacy, was about much more than Europe in 1948 in the aftermath of WWII.
The question/s for now may well be; will the third country laws assessment process for SCCs position data residency as the easier alternative for EEA companies if they elect to reduce risk and complexity – even at the expense of access to foreign markets. Could this reduce the role the EU can play in supporting the development of emerging markets? Hopefully not. There is clearly much work to be done. We await what we hope will be pragmatic guidance from the European Data Protection Board (EDPB) and should all stand ready as a privacy community to address the upcoming challenges.