Observations on Office Re – Engineering: Privacy Offices and Research Offices

Earlier today I had the opportunity to watch the highly useful IAPP webinar entitled What Works: Benchmarking and Improving your Privacy Program. I was particularly intrigued by the comments directed at improving / re – engineering a privacy office. The presenters emphasized the constant evolution of privacy regimes on a global scale, and that today adaptability and flexibility are key for people and structures (such as a privacy office).

That got me thinking about a large part of my career to date – the establishment and re – engineering of research offices at American universities. By “research” I mean the administration of grants, contracts, and other legal instruments that support faculty research. International grants and contracts are a large component in this area. For instance, the NIH (National Institutes of Health) in Washington, D.C., funds research undertaken by European scientists. That global dimension will only continue to increase in a post – pandemic world, although it appears that a robust European posture towards research is in question as I write this.

My own involvement with the establishment and re – engineering of research offices began at Northwestern University in Evanston, Illinois. We had a major challenge at NU as we were re – engineering operations while maintaining the administration of $165M USD in research funding. Subsequent to that, I established two research offices at smaller universities and then established a contracts / industrial agreements office at a larger university in Texas. While at the latter institution I oversaw two additional re – organizations that built upon the original office.

Those universities provided me with a lifetime of unique and challenging experiences. So, here are my thoughts and observations on best practices for building and re – engineering offices, along with specific comments to the privacy office context:

  1. Every university research office was designed to be public facing, client (faculty) – oriented, and collegial with other university offices. It was critical that the research office work effectively with other university offices. What is the parallel situation in privacy? A privacy office that works collaboratively with a security office (or any other office, for that matter).
  2. No research office was meant to operate as an “island” or a “silo.” A privacy office should not be its own island or silo within a company or other organization.
  3. One particular aspect of these offices was that they were designed for staff to “get out” into the greater community of the university – and beyond. It seems to me that privacy office personnel serve in a similar capacity within in their environment.
  4. When re – engineering an office, particular attention must be paid to client satisfaction and “upping your game.” What does your office do well in Version 1.0, and what do you want to do well in Version 2.0? What pressure points need to be eliminated?
  5. Professional development opportunities for staff must be plentiful. I see this as a common thread between the privacy and research worlds. When you think about it, both areas are intellectually vibrant and subject to rapid change. While it is important to stay abreast of such change, getting ahead of said change is more preferable.
  6. How are you going to measure office success? What are the metrics or KPIs? In the realm of research contracting, for instance, one such measure is the length of time to get a contract negotiated and signed. In privacy, one such metric is the length of time it takes to respond to DSARs.
  7. Lastly, the human / interpersonal dimension of an office is just as important as the technical / legally satisfying dimension. Not only must the office be enjoyable for the staff to work in, but it must be viewed – and in reality – as an enjoyable partner within the environment(s) within which it operates. Research management and privacy management are truly Art + Science.

Research offices and privacy offices have more in common than probably many people would have thought. Both operate in a rapidly changing global environment and are intellectually vibrant. It will be quite interesting to see how these offices function and change over the next few years.

European Essential Guarantees Guide (‘EEGG’) is now LIVE! with myself being one of the contributors thereto.

EEGG focuses on governmental measures aimed at surveillance, interception of communications, access to personal data and storage thereof by public authorities in different countries.

EEGG provides non-binding assessment by expert contributors worldwide of compliance with ‘European Essential Guaranties’ (summarized by the Working Party 29, the European Data Protection Board predecessor) and subsequent European Court of Human Rights case law.

The link is below:


As you may note, some countries are still waiting for their expert contributors, so feel free to join the project and contribute!

Contract Negotiation Best Practices and SCCs

Given the recent CJEU decision in Schrems II with respect to standard contractual clauses (SCCs), it struck me as a good time to revisit best practices in contract negotiation. The suggestions below are the result of 18+ years’ negotiating contracts in law, local government, and academia, including many with colleagues in Europe and beyond.

Whether these suggestions apply to your particular role in the privacy universe, especially in light of the Schrems II decision, I will leave that up to you. So, these practical suggestions and observations *may* be applicable in the privacy realm, but they are certainly applicable in the larger professional world. These are presented in no particular order of importance:

  1. Gather as much information from your negotiating partner as early in the negotiation as possible.
  2. Avoid using texts and certain software programs such as WhatsApp to negotiate, except in rare / emergency situations.
  3. Have an Offer – Concession Strategy: What is important to your organization or company? What are you willing to compromise on and what are non – negotiable issues?
  4. Do more listening than talking. TRULY LISTEN.
  5. Negotiate for the long term. Build a long term relationship, if that is what both parties want. You never know what the future will bring.
  6. The parties’ missions should mesh together. That builds long – term partnerships. No meshing of missions = less chance of success.
  7. Have empathy for your negotiating partner. Understand where they are coming from and then work toward to a mutually satisfying result. This is even more important given the pandemic.

Utilize these in your negotiations – including in privacy – related matters – and you are in good stead for the future. Remember, contract negotiation is art + science, so you need both the technical skills / aptitude AND the interpersonal skills to work in a civil manner with your colleague(s).

One last point. Contract professionals need to be flexible. This was quite true before the pandemic, and it is even more important given the pandemic and the uncertainty unleashed by Schrems II. We are in uncertain times for several reasons, but I suspect that privacy professionals will rise to the occasion when it comes to SCCs and contract negotiation.

The Aftermath of Schrems II

Much has been written about the Schrems II case since its publication 9 days ago. Rather than simply repeat what many others have said on various privacy sites, I want to provide my own take on it within the broader context of what is going on in the world today.

While Schrems II invalidated the EU – US Privacy Shield, the decision cannot help but have implications for other countries throughout the world. What happens when European personal data flows to countries where government commitment and judicial systems are not strong enough to enforce EU personal data protections?

As an experienced contract negotiator & attorney, I have always been fascinated with standard contract clauses – regardless of the subject matter. The evolution of the European Commission SCCs remains a subject of high interest.

With regards to the EU – United States relationship, it is important to remember that there is $7.1B USD of annual trade between the two partners. It is my hope (and confidence) that adjustments may be made on the U.S. side so that this mutually important relationship remains strong and prosperous. Sometimes it helps to be reminded that Europeans and Americans have more in common than in difference.

The pandemic and the situation in Hong Kong may yet play out in ways that many people in Europe and America cannot predict presently.

I close by saying that these are exciting times to be an ethical privacy practitioner, whether in Europe, America, or beyond, and the best way to add value to governments, businesses, and clients of all stripes is through continual and thoughtful professional development.

An open letter to the CJEU from L

Read a view of the Schrems’ decisions from the other side of the great pond, in the U.S. I found this to be an informative, serious but fun read through the spectacles of Lydia F de la Torre, EU & US Counsel (Spain/California) and a lecturer of Privacy Law at Santa Clara University School of Law. Grab a coffee, it is long and its climax is an open letter to the CJEU which I’ve copied below 🙂

Everyone knows the story of the Privacy Shield. Or at least they think they do. But, I’ll let you in on a little secret. Nobody knows the real story, because nobody has ever heard my version of it. I am a lecturer at Santa Clara Law. You can call me L.

The blogpost by Lydia covers the Schrems I and II saga. From reading this I gained some insight which I hadn’t really bothered to dig into earlier, but I am not alone in this. One example is Schrems I resulted in the fall of Safe Habor, we all know this, but what is not common knowledge, is that it seems that even Max himself was unaware that Facebook were using SCCs, if he’d known earlier there would have been no Schrems II because it would have been taken at the beginning.

You really should read the complete Post from Lydia, it is actually entertaining 😉

To: The Court of Justice of the European Union (Grand Chamber)

In regards: Overdue homework

Dear Grand Chamber:

I have been waiting for years for you to give us a hint as to what is the essence of the european right to data protection.

I know you know the right to a private life and the right to data protection are two different rights, but I am starting to suspect you can’t tell them apart as you keep citing to them as if they were twins.

And that is a scary proposition, since the ECtHR is not going to steal your thunder because the European Convention of Human Rights (that the ECtHR has the authority to adjudicate on) does not recognize a right to data protection.

Perhaps reading member state caselaw on the right to data protection could get your creative juices flowing? Jurisprudence under Article 35 of the Portuguese Constitution or Article 18(4) of the Spanish Constitution? How about the German classics on Recht auf informationelle Selbstbestimmung?

And yes, I know you are not bound to follow preceding from the Constitutional Courts of Member States.

But let’s be honest.

You can’t claim copyright over the EU Charter of Fundamental Rights either. We all know the Charter it is just a compilation of the rights granted on Europeans, initially, by Member State law.

So please, do your homework next time you rule on a GDPR case and hand down something that tells us what the core of the European right to data protection exactly is. Is data localization absent essential equivalence for a cross-border transfer part of it? If Privacy Shield had passed muster from a privacy perspective, would a violation of Article 47 of the Charter (since the Ombudsperson did not equate to a tribunal within the meaning) trigger a violation of the fundamental right to data protection under Article 8.3of the Charter?

Looking forward hearing from you soon.



DPAs’ guidances to survive in the post-‘Schrems II’ world

IAPP has set up a valuable resource collecting together guidances and statements issued by national DPAs in response to the recent CJEU ruling on the so-called ‘Schrems II’ case. The IAPP will aim to update the register on an ongoing basis.

The link is below:


While privacy pros advise to seek to put in place SCC as a substitution for the invalidated Privacy Shield, it should, however, be noted that SCC are by itself a safeguard with a limited scope of application as: (i) it still does not cover many processing scenarios (e.g., processor-to-controller, processor-to-sub-processor); (ii) it is quite outdated (issued in 2001, 2004 and 2010 in the pre-GDPR world); (iii) its validity has been put on several conditions by the ‘Schrems II’ decision.

Schrems II: what does this mean in practice?

In the flurry of (my) excitement after the Schrems II judgement I got to thinking, isn’t this what we have been saying all along? Anyone who knows me, or who has attended one of my training sessions knows that I usually start with “compliance is not just about doing the right thing, but showing you are doing the right thing”. This is exactly what the judgement is asking us to do now.

The Privacy Shield has been invalidated – mainly because the access is not “necessary” and “Proportional”  and EU data subjects lack actionable remedy. So in practice, companies will need to look for an alternative legal basis to enable transfers under GDPR. There are options of consent or other derogations, but the only practicable way of making transfers valid is by Standard Contractual Clauses  (“SCC”) . These clauses remain valid, albeit with some questions raised.  

Companies will now have to do proper 3rd party due diligence and develop actionable protections for data transfer, either through existing recipient country laws, or through their own contractual measures  – or a mix. So what does “appropriate due diligence” mean in practice? It could mean creating a checklist to understand clearly to which third country the data is being transferred; collecting best practices in relation to the laws of well known “importers”; what security measures can be taken to further protect the data?

In reality, these SCCs were almost “too good to be true”. Some practitioners had developed a bad habit of “throwing” them into a contract, and never looking back. It is of great benefit to the privacy community to see that SCC are upheld. I reinforce the message that companies should understand fully (if they do not already) what EU safeguards require,  do a case-by-case due diligence to see if the foreign government (not only US) protections regarding access to data meets the EU standards and if this is not the case, put in place additional safeguards.

This is exciting for privacy lawyers like me, as we get the opportunity to reinforce our collaborative efforts with our infosec colleagues. This development brings us closer together in determining what the landscape looks like, what is required and how we make it happen. We can now come to the table together and determine how to do these transfers safely, relying on our infosec colleagues for expertise and our legal colleagues to get it airtight in the contract. Then both functions work together to raise awareness in the organisation.

Companies will have to start looking outwards to see if their industry is one that is regulated or targeted and what is the “likelihood” of an interference. This means good things for data subjects as there will be a natural effort to reduce the amount of data transferred to reduce risk – thereby strengthening the minimisation and necessity / purpose principles.

Recipients will have to ensure that they really do have a solid plan in place for end of life – of the contract and of the data within it. We will likely see more complex rolling retention periods established in order to reduce the amount of data held by 3rd parties and thereby reducing risk (of breach and of government interference)

I’m confident the guidance from the Irish Data Protection Commission will contain these principles and I will continue to monitor the developments and report regularly on practical steps companies can take.

If you like what you read, connect with me on LinkedIn!


In the Privacy Shield storm -practical advice

I am and still attending a great session hosted by the IAPP on the Schrems II decision and Privacy Shield consequence, i.e. it is no longer a legal mechanism for data transfer from the EU to the US.

Miriam Wegmeister was a great panelist and gave some great insights, very practical and cool lady!

Practical steps as follows:

  • There were some revised SCCs drafted even before this decision which can be used.
  • Look at other mechanisms, e.g. transfers subject to appropriate safeguards (Article 46). What jumps out at me are (e) Code of Conduct, and (f) Certification.
  • Art 49 normally only to be used in exceptional circumstances, maybe the Commission can relax on this. Art 49 is derogations for international transfers, my favourite (not) legal subject. It makes sense, as it is similar to Art 6, with some variations.

The decision is that Privacy Shield is not legal anymore, stop, no grace period, however looking at the UK Information Commissioner website and voila, they are recommending to “continue using Privacy Shield until new guidance becomes available” but do not start using Privacy Shield.

Yes, I’m angry about the Schrems II decision!

Why the hell should a devote privacy and GDPR advocate be angry about this decision, after all it’s good for privacy is it not?

Yes decision is correct, but also no.

Clearly Facebook is a scapegoat, twice now with Schrems I and II. But now we are in limbo again! The fact is that even if the large businesses have heaps of money to bring in an army of legal professionals to replace all Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs), which may or may not work. The Small Medium Business (SMB) do not have this luxury.

Apart from the large businesses, I work with quite a lot of SMBs, and I can tell you exactly how they feel in a single word…. confused in two words confused and hopeless. Most have yet to do their work for GDPR compliance, and those which have, may have done an initial effort in 2018, but have since done nothing.

What makes me angry is that now in 2020, some of these are calling me in because I have created some low-cost tools which help them to help themselves. They are making the effort, but they are in main, using cloud providers from the U.S., and there was a simple remediation, to check that the business was Privacy Shield certified. I had a cheat list of all most common cloud services, if the business wasn’t listed, my recommendation was to move to another which was. And so it was cheap and easy for them to fix themselves, without paying me my expensive hourly consulting rate.

So now all these SMBs have nothing, again. And yes I’m angry, because I was starting to get some traction in the SMB market. My speciality is making this legal stuff doable for any businesses, it’s not rocket science, But now it’s quite ridiculous, there is no way I will instruct every SMB to stop using all U.S. cloud services, they will kick me out. In fact the low-cost GDPR tools I have created are based on U.S. services, and they can’t be moved. There is nothing equivalent in the EU. It feels unfair to the SMB, they are getting the GDPR thing, and how it is good for business. Together, my small business and my customers were starting to make great progress.

It is not only my opinion that the SMB is critical for a functioning society, although maybe it is just mine that it is the SMB which will suffer most from this judgement?

Okay, sorry for this rant. I’m feeling a bit like Ms Angry, but now I’m done 😉

Image taken from https://www.bbc.co.uk/programmes/p05g2zz1.

Ambiguous status of SCC under the ‘Schrems II’ decision

As all privacy community already know, the CJEU has today struck down EU-US Privacy Shield scheme, while confirming the validity of SCC.

Arguments against Privacy Shield has changed little since the ‘Schrems I’ decision that invalidated Safe Harbour – governmental intrusion, lack of proportionality, ineffective role of ombudsperson.

What is really new is that a EU-based data controller relying upon SCC is now expected to assess how public authorities in third countries obtain access to personal data and how legal system in those countries works.

Two questions still remain:

1. How such controllers in question are expected to conduct such evaluation? Any methodology in this regard? It may seem somewhat similar to what we have in Article 45(2) – which factors Commission shall evaluate when issuing adequacy decisions. However, a private entity living with SCC is not a EU body and often does not have sufficient resources and understanding as to how to conduct the research and put necessary safeguards in place.

2. Enforcement. Amid DPAs facing lack of financial resources and manpower, the CJEU’s decision puts even extra burden on them. Thus, a newly invented (by CJEU) requirement may easily end up becoming unviable with no practical effect due to insufficient oversight.

Bonus question: taking into account the ‘accountability’ principle, how exporting controllers should demonstrate their compliance with the new obligation?

Hopefully, answers are yet to come.