Month: July 2020

EEGG focuses on governmental measures aimed at surveillance, interception of communications, access to personal data and storage thereof by public authorities in different countries.

EEGG provides non-binding assessment by expert contributors worldwide of compliance with ‘European Essential Guaranties’ (summarized by the Working Party 29, the European Data Protection Board predecessor) and subsequent European Court of Human Rights case law.

The link is below:

https://www.essentialguarantees.com

As you may note, some countries are still waiting for their expert contributors, so feel free to join the project and contribute!

Given the recent CJEU decision in Schrems II with respect to standard contractual clauses (SCCs), it struck me as a good time to revisit best practices in contract negotiation. The suggestions below are the result of 18+ years’ negotiating contracts in law, local government, and academia, including many with colleagues in Europe and beyond.

Whether these suggestions apply to your particular role in the privacy universe, especially in light of the Schrems II decision, I will leave that up to you. So, these practical suggestions and observations *may* be applicable in the privacy realm, but they are certainly applicable in the larger professional world. These are presented in no particular order of importance:

1. Gather as much information from your negotiating partner as early in the negotiation as possible.
2. Avoid using texts and certain software programs such as WhatsApp to negotiate, except in rare / emergency situations.
3. Have an Offer – Concession Strategy: What is important to your organization or company? What are you willing to compromise on and what are non – negotiable issues?
4. Do more listening than talking. TRULY LISTEN.
5. Negotiate for the long term. Build a long term relationship, if that is what both parties want. You never know what the future will bring.
6. The parties’ missions should mesh together. That builds long – term partnerships. No meshing of missions = less chance of success.
7. Have empathy for your negotiating partner. Understand where they are coming from and then work toward to a mutually satisfying result. This is even more important given the pandemic.

Utilize these in your negotiations – including in privacy – related matters – and you are in good stead for the future. Remember, contract negotiation is art + science, so you need both the technical skills / aptitude AND the interpersonal skills to work in a civil manner with your colleague(s).

One last point. Contract professionals need to be flexible. This was quite true before the pandemic, and it is even more important given the pandemic and the uncertainty unleashed by Schrems II. We are in uncertain times for several reasons, but I suspect that privacy professionals will rise to the occasion when it comes to SCCs and contract negotiation.

Much has been written about the Schrems II case since its publication 9 days ago. Rather than simply repeat what many others have said on various privacy sites, I want to provide my own take on it within the broader context of what is going on in the world today.

While Schrems II invalidated the EU – US Privacy Shield, the decision cannot help but have implications for other countries throughout the world. What happens when European personal data flows to countries where government commitment and judicial systems are not strong enough to enforce EU personal data protections?

As an experienced contract negotiator & attorney, I have always been fascinated with standard contract clauses – regardless of the subject matter. The evolution of the European Commission SCCs remains a subject of high interest.

With regards to the EU – United States relationship, it is important to remember that there is $7.1B USD of annual trade between the two partners. It is my hope (and confidence) that adjustments may be made on the U.S. side so that this mutually important relationship remains strong and prosperous. Sometimes it helps to be reminded that Europeans and Americans have more in common than in difference.

The pandemic and the situation in Hong Kong may yet play out in ways that many people in Europe and America cannot predict presently.

I close by saying that these are exciting times to be an ethical privacy practitioner, whether in Europe, America, or beyond, and the best way to add value to governments, businesses, and clients of all stripes is through continual and thoughtful professional development.

In the flurry of (my) excitement after the Schrems II judgement I got to thinking, isn’t this what we have been saying all along? Anyone who knows me, or who has attended one of my training sessions knows that I usually start with “compliance is not just about doing the right thing, but showing you are doing the right thing”. This is exactly what the judgement is asking us to do now.

The Privacy Shield has been invalidated – mainly because the access is not “necessary” and “Proportional”  and EU data subjects lack actionable remedy. So in practice, companies will need to look for an alternative legal basis to enable transfers under GDPR. There are options of consent or other derogations, but the only practicable way of making transfers valid is by Standard Contractual Clauses  (“SCC”) . These clauses remain valid, albeit with some questions raised.  

Companies will now have to do proper 3^rd party due diligence and develop actionable protections for data transfer, either through existing recipient country laws, or through their own contractual measures  – or a mix. So what does “appropriate due diligence” mean in practice? It could mean creating a checklist to understand clearly to which third country the data is being transferred; collecting best practices in relation to the laws of well known “importers”; what security measures can be taken to further protect the data?

In reality, these SCCs were almost “too good to be true”. Some practitioners had developed a bad habit of “throwing” them into a contract, and never looking back. It is of great benefit to the privacy community to see that SCC are upheld. I reinforce the message that companies should understand fully (if they do not already) what EU safeguards require,  do a case-by-case due diligence to see if the foreign government (not only US) protections regarding access to data meets the EU standards and if this is not the case, put in place additional safeguards.

This is exciting for privacy lawyers like me, as we get the opportunity to reinforce our collaborative efforts with our infosec colleagues. This development brings us closer together in determining what the landscape looks like, what is required and how we make it happen. We can now come to the table together and determine how to do these transfers safely, relying on our infosec colleagues for expertise and our legal colleagues to get it airtight in the contract. Then both functions work together to raise awareness in the organisation.

Companies will have to start looking outwards to see if their industry is one that is regulated or targeted and what is the “likelihood” of an interference. This means good things for data subjects as there will be a natural effort to reduce the amount of data transferred to reduce risk – thereby strengthening the minimisation and necessity / purpose principles.

Recipients will have to ensure that they really do have a solid plan in place for end of life – of the contract and of the data within it. We will likely see more complex rolling retention periods established in order to reduce the amount of data held by 3^rd parties and thereby reducing risk (of breach and of government interference)

I’m confident the guidance from the Irish Data Protection Commission will contain these principles and I will continue to monitor the developments and report regularly on practical steps companies can take.

https://www.linkedin.com/in/annickobriencompliance/