Organizing your data transfers to 3rd countries in a post-‘Schrems II’ world might become a truly daunting task. But what should definitely be avoided? Learn from this short video.
Month: August 2020
International companies transferring personal data to multiple 3rd countries are unlikely to soon find a 100% workable approach to address ‘Schrems II’ implications.
Why I think so? It stems from a superb article written by the IAPP authors who skilfully and clearly explain (for the first time ever?) how to tackle the issues raised in the CJEU’s decision and to continue data transfer to USA based on supplemented SCC (see the link below).
Just take a deeper look and see how many details of the US laws are taken into account and analysed, based on which practical recommendations are given. At the same time, the CJEU factually introduced the requirement to evaluate legal landscape in every third country that imports data flows.
The above means that the same exercise should be conducted in relation to each third country. In many of them the laws may not even be translated in English and be publicly available, case law may indeed be unclear or even absent. Such analysis will almost definitely require a great deal of time and money amid the absence of grace period.
Where to get help:
- See my short article on how to start with the assessment without spending budget: https://www.linkedin.com/posts/tiazhelnikov_two-money-saving-starting-points-on-how-to-activity-6696105568085561344-qJFl
- See Essential Guarantees Guide (https://www.essentialguarantees.com) which can help you analyse surveillance practices in different countries across the globe.
- Expect more from me on that issue in the following weeks as we at Carlsberg HQ are launching «Schrems II Working Group» to share thoughts and develop action plan.
- Remember that ‘wait and see’ approach is not an option here; complexity is not an excuse for doing nothing in the hope that Supervisory Authority will wait too.
BCRs and Tetra Pak has just got them approved in Sweden
An extremely interesting development considering the recent Schrems II decision and that Tetra Pak has US operations.
This is a first for the Swedish Data Protection Authority with BCRs. OneTrust has a good summary of the decision, etc., in English. Here is the decision in Swedish.
Now, there is much discussions on the legality of Binding Corporate Rules since Schrems II, after all surveillance in the U.S. is omnipresent, over which we have no control over here in the E.U., but in reality what this decision means is that the we need to be realistic, business must go on.
My take on the transfer of data is to dive into the potential risks to rights and freedoms of the natural person. If there are none, e.g. you are only transferring email address and name of the individual, and maybe they are adding business activities into a log, e.g. financial records. I find it difficult to really force myself to change an established business practice, especially now with coronavirus times, and many businesses are in survival mode, and many close to bankruptcy. If HR data is being transferred then this must change clearly.
I am, even as a privacy professional sceptical of all the fuss and hype there is on blocking all personal data transfers out of the EU to a country such as the U.S. (lacking adequacy decision now with Privacy Shield gone), because of Schrems II.
I guess if I wasn’t a small startup myself, serving small-medium businesses, I would think differently. But if this is all too complex, the SMB will do nothing, they have too much to lose, and when it happens it can go quick, money spent must be prioritised. For the SMB Schrems II is like double-dutch, all this legal speak, it’s out of their boundaries of business operations, and and the Data Protection Authorities get this, and are not normally targeting the small actors selling consulting, car repairs, chickens, or a pair of shoes, they are after the biggies.
Who is the controller?
An extremely well-written article from OneTrust in the context of adtech, but still I am sure will get you thinking deep.
Cookie consent banner for the SMB
There’s been quite some cookie talk lately on this blog and one reason why is that I have as CEO of my little startup been looking for a cookie consent banner which costs nothing for my website.
So why only now. Well, I did only have essential cookies on my website until recently which didn’t require cookie consent. I had inserted a banner and notice. However, I started adding YouTube videos and Chat, which came packaged with an analytics engine, Zoho SalesIQ.
So when one of my Linkedin Connections was kind enough to point this out, I responded without thinking, that only essential cookies are used…… I was feeling just a bit little stupid when I realised that I’d been so deep in getting my business out to market, that I’d actually missed the privacy thing, which is not good, after all my business is about GDPR compliance!
So I was on a mission, install a cookie consent banner with a preference centre on my website, catch was that I had not budget for this. I am after all a small business, and all these small costs add up to something more. And not all small business have funding for extra overheads. I wanted to find something which I could recommend to my customers/partners, many are SMBs, so they have (1) a free option, and (2) paying option.
Criteria for SMB as I see it is:
- There must be a free option
- It must work on all websites, e.g. even OneSpace, Wix, one.com
- It must be easy to setup without too much technical know-how.
Most cookie banner solutions cost money, and you can expect to pay circa €9 per month. However, there are some free ones out there, with restrictions such as a single domain. But this is good enough for most of my customers.
On a technical level it needs to work on all types of websites, e.g. mine is hosted on one.com, and some which I came across and tested didn’t work because they required that I install code in the Header html, and I don’t have access to this. I can only insert code within the page/footer).
Ease of setup, was not great. I spent 2 days looking/testing suitable cookie consent banner. Of those I found, I tested 8, and became extremely frustrated because IMHO this should be EASY, but it was most certainly not. I am not technophobia, and do have a decent level of competence to make this work. But it required javascript, and of all I tested only 2 came close, and only one met the technical criteria for the SMB and the cost criteria. That was Termly.
Now, I still say there is no excuse for how the Guardian’s banner was configured, they have money to pay techie to do this work, but for a small business, setting up a cookie consent banner is not reasonable. If 2 days work is required to find/test and install one. That is why I have written this blogpost. If you’re an SMB you don’t need to waste time looking. Carry on reading for an alternative to Termly later on….
It doesn’t stop here. I then checked this blog to look at cookies. This blog was originally setup by myself in 2007, and cookies weren’t a big thing then. Even since, I haven’t given a thought to my musings on this blog, and that a cookie consent banner is necessary, because I wanted to believe that Article 2 applied, household exception. However, now we are many Authors, and unfortunately WordPress downloads over 80 cookies! Even though this is a personal blog, now for many, we needed to fix this -now that I’m on a cookie kill drive, and starting to hate these little blighters!
Now if your business website is using WordPress you must upgrade to Business to get the Plugin for free, and this should be easy to install, although I haven’t tried yet, because this is a personal blog, and I don’t intend to upgrade at a monthly subscription of €35 just to get my hands on a cookie consent banner. I checked some other cookie banner options. I received a tip on Metomic from a privacy Connection, and I liked it, wish I’d found before. But when it scanned this virtualshadows blog it reported there were no cookies, which is a lie. It could be that it is a not on its own domain. But Metomic looks easy to use, is free, and could be worth testing as an alternative to Termly. I may even replace Termly with Metomic, but it does require some code in the website Header, not sure if this is required or optional.
As it looks now, unless I find a free cookie banner, this blog will be migrated to another platform. Criteria, it must be free of cost, and free of cookies.
My takeaway from the last 3 days…. is that the cookie consent banner has pulled me -a single-man resource in my business- from product development and from revenue generating activities. GDPR has in practice blocked innovation and growth. I became angry and frustrated, not only by the activity, but at the thought that every small business out there which requires a cookie consent banner will find it just too difficult to fix, and they don’t have budget to pay someone else to do this as the larger organisations have.
Let’s get creative with cookie banners! I’m sure it’s fine?
I am seeing more and more the new type cookie banner, which basically informs you of non-essential cookies, i.e. it is not required for the essential ones which is great, however…. there is some creative engineering active which is not compliant with GDPR. I am accepting non-essential cookies, for whatever the reason on my side, but this is because on the cookie side, opt-out is not set as a default. Let’s take a single example.
I was visiting the Guardian newspaper this morning and it got me thinking again about cookies. Privacy by design as a default is about ensuring that the user needs to do nothing to protect his/her privacy, data protection by default in the GDPR is based on this concept. However, what I found on the Guardian website, was most definitely not opt-in, it was opt-out, and the Guardian newspaper is British, still part of the EU?
What I observed was a very interesting technique to discourage the visitor to opt-out. When I first arrived on the Guardian newspaper website the following notice pops up on the Cookie Banner, which looks good.
We and our partners use your information – collected through cookies and similar technologies – to improve your experience on our site, analyse how you use it and show you personalised advertising.
But then it continues with the following. The default I’m OK with that is not what I would expect unless by default all cookies are in opt-out mode. But at this stage I really have no idea. My expectation as a privacy guy is that opt-out is the default setting.
However, when clicking on Options, the following message is displayed, and it still is not clear if cookies are loaded onto the visitors device as a default or not, the Off booleans are not selected, nothing is.
I went to the cookie notice and found that in fact the default was that cookies are downloaded as a default, and it is necessary to go through to another site to configure.
And this is what got me thinking. Non essential cookies as a default should be switched off, i.e. opt-out. And it should not be more difficult to opt-out than to opt-in.
The Well – Being of Privacy Professionals: A Critical Component for Success
The fields of privacy and data protection are fairly new areas of professional activity. Certainly the last generation+ has seen an explosion in job growth. The question naturally arises, then, as to whether individuals working in the area are happy and professionally satisfied. Do they derive professional satisfaction? Are they thriving? Is stress in the workplace too much? Are they supported by their leadership? Do they have a satisfactory work – home balance? Does job stress cause privacy pros to seek relief by turning to alcohol, drugs, and other substances? These are all critical questions that need to be asked as the areas of privacy and data protection continue to develop on a global level.
Another field, law, has been grappling with the topic of lawyer well – being for a number of years now. In fact, the topic of lawyer well – being is being addressed by a number of state bar associations in the United States. In 2017 the National Task Force on Lawyer Well – Being released a report, which was based on a 2016 survey of 13,000 practicing attorneys. That survey found that too many lawyers are not thriving. The reader is encouraged to check out this material at: https://lawyerwellbeing.net/.
I was honored to be appointed to the Wisconsin Lawyer Well – Being Task Force, which is an example of a state bar association addressing the critical importance of lawyer well – being. The 2017 National Task Force Report serves as a guide for our work in Wisconsin (for a number of years the State Bar of Wisconsin has had the Wisconsin Lawyer Assistance Program (WisLAP) but we are looking at the program consistent with the National Task Force report). While the Wisconsin Task Force has just started its work, it naturally got me thinking about the well – being of privacy professionals.
The National Task Force conceptualized a holistic approach that, in the privacy realm, begins with the question: How should we define well – being for privacy professionals?
This holistic approach, courtesy of the National Task Force, considers the following dimensions:
- Emotional: Value emotions. Develop ability to identify and manage our emotions to support mental health, achieve goals, and inform decisions. Seek help for mental health when needed.
- Intellectual: Engage in continuous learning. Pursue creative or intellectually challenging activities that foster ongoing development. Monitor cognitive wellness.
- Occupational: Cultivate personal satisfaction, growth, and enrichment in work. Strive to maintain financial stability.
- Physical: Strive for regular activity, good diet & nutrition, enough sleep, and recovery. Limit addictive substances. Seek help for physical health when needed.
- Spiritual: Develop a sense of meaningfulness and purpose in all aspects of life.
- Social: Develop connections, a sense of belonging, and a reliable support network. Contribute to groups and communities.
This is an impressive list. At one level, the reader will think they are generic enough to apply to any occupation or field. But, what unique dimensions may be teased out for the areas of privacy and data protection?
One common fact situation that I see discussed on social media platforms is when data protection officers (DPOs) are not fully supported by company leadership and / or not being fully integrated into the culture of the company / entity / institution. These problems, in a generic sense, are common to other jobs and areas in the professional world. But, the difference is that the modern world of privacy and data protection is slightly more than one generation old and are coupled with rapid technological development and change. That combination makes privacy + data protection a bit unique at this space in time. And given the way things are right now in the world, change will not be slowing down anytime soon.
So, the discussion comes back to enhancing the well – being of privacy professionals. What can companies and institutions do to enhance their well – being? What can professional associations do? How may a holistic approach be applied so that privacy and data protection professionals thrive?
This post is, for me and hopefully others, the start of a larger discussion about enhancing the well – being of privacy professionals. I’m sold on the holistic approach, but the key is making sure that any approach meets the needs of the target audience. These are exciting times for privacy professionals, and their well – being is a critical component to facilitate their success.
A Conversation with Sonia Intonti: Schrems II and the Way Forward
We said it to ourselves, and we heard it repeated many times, that this year 2020 will certainly have no place in the annals as a lucky year. The beginning of this new decade has seen the life or at best the activity of many of us bending due to the pandemic crisis caused by the Coronavirus, which, among others, has also led to the closure of every border between countries. But while none of us could physically move, thanks to the current state of technology we had the chance to experience the “power of ubiquity” that allows us to sit in our European living rooms and be virtually to the other side of the ocean through our personal data.
But 2020 didn’t wait before it surprised us again, and so just when our physical borders were beginning to slowly reopen, on 16 July the Court of Justice of the European Union (“CJEU”) effectively declared invalid one of the main transatlantic data transfer corridors, by invalidating Decision 2016/1250 on the adequacy of protection provided by the “EU-US Privacy Shield.” Consequently, international data transfers, which are so vital for the global economy, suddenly became open to question: the CJEU has confirmed that EU standards of data protection must travel with the data when it goes overseas, which means that Case C-311/18 – Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (known as “Schrems II”), has wider implications than just the invalidation of the EU-US Privacy Shield (see UK Information’s Commissioner Office, Updated ICO statement on the judgment of the European Court of Justice in the Schrems II case, 27th July 2020 https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/07/updated-ico-statement-on-the-judgment-of-the-european-court-of-justice-in-the-schrems-ii-case/). Besides invalidating Privacy Shield, the Court examined the validity of the European Commission Decision 2010/87/EC on Standard Contractual Clauses (“SCCs”) and considered it to be valid. Schrems II is a judgment that confirms the importance of safeguards for personal data transferred out of the EU.
This article digs into the interplay between the decision on the validity of one route (SCCs) and the invalidity of the other (Privacy Shield) from both the European and American points of view.
Question 1: What do you think is the most interesting aspect of Schrems II with respect to the Privacy Shield discussion?
European Perspective: As I further explain in my answer to question 4, the aspect which in my opinion equals in interest to the one identified by my colleague Jim, is the position of the Court with regard to the two decisions which are concerned here: the ‘Privacy Shield’ adequacy decision and the European Commission decision on standard contractual clauses. On the one hand, the Court found that the requirements of US domestic law entail restrictions on the protection of personal data which are not designed to meet requirements substantially equivalent to those of EU law and that such legislation doesn’t grant data subjects enforceable rights vis-à-vis the US authorities, thus invalidating the adequacy decision “Privacy Shield.” On the other hand, however, the court confirmed the validity of the so-called standard contractual clauses which, de facto, recognize the burden and the honour of the parties to establish the adequacy of the transfer but in the light of the arguments that led to the invalidation of the decision on Privacy Shield.
American Perspective: The most intriguing aspect of the case from my perspective was the Court’s factual findings of U.S. law. Several of the broad themes I see impacting on that discussion are the increase in the U.S. surveillance state since the 9/11 attack and the fact that the U.S. political system is a representative democracy coupled with concepts of federalism (where the federal and state governments have fairly delineated rights and responsibilities). The current president, unlike most recent ones, has a broad conception of the scope of executive power. That is not an item that is endearing to most Europeans.
It is imperative that a balance be found between the European conception of privacy as a fundamental human right, and the need for some measure of a surveillance state (in the U.S. and Europe). There is a fundamental tension between a privacy right and the proper need for some surveillance. Given the large volume of data flows between Europe and the United States and given the large amount of transatlantic trade between the two partners, it is imperative that an accommodation be found between both “partners.” That last word needs to be remembered and acted upon by U.S. and EU leaders.
And one final note. In this time of the pandemic, it is even more important to maintain transatlantic data flows in the areas of individual health information and public health information.
Question 2: Given the basic governmental structures of the EU and the U.S., do you think that enough changes can be made to the U.S. intelligence and law enforcement functions to allow for the necessary protection of EU personal data?
European Perspective: As I’ve already said to my colleague Jim, I’m not in the position to discuss American law, but what I could say it’s that dialogues like this one, but at higher levels, are needed to ensure efficient interaction between countries with different backgrounds but which have similar perspectives. In times like this one where the economy is global and based upon Big Data, I believe these two important partners have, or should have, similar perspectives.
American Perspective: It will take some time for U.S. changes to be made. I say that primarily because of the upcoming U.S. elections. With the pandemic and social issues taking precedence, I find it hard to see any legislative changes happening this Fall. On top of that, President Trump has now positioned himself as the “law and order” president. While he strongly compliments the military and local law enforcement, he has shown a tendency to undercut the U.S. intelligence agencies. But I do not think the latter is enough for him to take executive action on data protection in the context of the activities of the intelligence agencies and federal law enforcement. But he could surprise us. He always does.
Question 3: It is clear from the court opinion that SCCs are valid, but are on “thin ice.” What are your thoughts on improving the SCCs so that they exist on stronger legal ground?
European Perspective: The core of this question recalls my answer to the first one too. In fact, I believe this is one of the most interesting, as well as confusing, points which the Court touched on within its judgement. “SCCs confer only contractual rights on data subjects against the data exporter and importer, without, however, binding the United States authorities.”, and this constitutes the perimeter of that “thin ice” where the SCCs laid down, at the moment not supported by the suggestion of any additional measure able to guarantee an effective protection by the American data importer of Europeans’ data and / or any perspective of legislative changes in US law. In particular, the Court notes that the SCCs impose an obligation on the data exporter and the recipient of the data (“the data importer”) to verify, prior to any transfer, in the light of the circumstances of that transfer, whether that level of protection is respected in the third country concerned. Given that, we can only wait for the EDPB to give guidance on how these guarantees can be provided by the importer which falls within the definition of “electronic communication service provider” which outlines the scope of Section 702 FISA, in order for it to receive data from EU partners without contravening local law.
American Perspective: I look forward to the European Commission releasing upgraded SCCs. As someone who has negotiated several thousand contracts in my career – many global – I have always had a dim view of “standard contracts,” because many need to be negotiated to fit the particular circumstances of the parties and subject matter. The current SCCs are critical to the European privacy regime and they are necessary (along with other tools) to protect European data protection rights. These are exciting times to be a contract professional.
Question 4: The U.S. Ombudsman, established to help EU citizens, was faulted by the CJEU for having insufficient authority over U.S. intelligence and law enforcement agencies. What are your thoughts about that component of the decision?
European Perspective: I like to believe that in this judgment European citizens were regarded as individuals rather than as citizens of a certain country. It is therefore the underlying concern about human rights and cultural protection that in my opinion has stimulated this very CJEU’s reaction to American government interference on European citizens’ data. For this reason, issues relating to national security and access to personal data by public authorities must be provided for by law and this law must lay down precise limitations to access to data by authorities, as well as clear and precise rules governing the measures able to ensure ‘effective and enforceable rights of data subjects.’
American Perspective: The Ombudsman role is a useful and necessary one. I would love to see that role exist in the next U.S. – EU agreement. Perhaps the U.S. needs a specialized Privacy Court. For instance, there is a U.S. Tax Court – so there is precedent. But that possibility needs an overarching U.S. Privacy Law, clearer articulation of a U.S. privacy right, and the money and political will to make a specialized court a reality.
Question 5: This decision illustrates the tension between the right to privacy and the role of intelligence and law enforcement agencies in a global economy. Considering the opinion, how is that balance best met?
European Perspective: Whenever I’m faced with a balance between different rights or interests, I feel grateful for the great Charter that the constituent fathers of my country (Italy) gave birth to in 1947, thus giving us the most important lesson on balancing fundamental principles: these principles, depending on the context, do not eclipse one another, but they always coexist in different declensions. And this is how I believe it must be between the right to privacy and the public security, as a prerogative of intelligence and law enforcement agencies, within an economic system that is now global. The only duty to guarantee public security and public order, at any level, cannot allow any kind of intrusion by government authorities, thus contradicting the principle of proportion, which is at the basis of the rationality that informs the principle of equality.
American Perspective: The tri – sector tension as articulated (right to privacy, role of intelligence and law enforcement agencies, and a global economy with massive data flows) is the most fascinating aspect of privacy (well, next to the clear articulation of “rights” in both the U.S. and EU). I believe that all three tensions may be managed (though probably not always eliminated) within the context of global economic growth. Post – pandemic, both the U.S. and EU need a long period of economic growth to get out of this hole we find ourselves in. The “pie” needs to grow. If it does not, there will continue to be economic and social unrest. But yes, I believe that privacy, security, and economic growth can exist concurrently. How that comes about is not clear at the moment.
Conclusion
Our conversation regarding the Schrems II decision and the way forward illustrates, in a small way, the similarities and differences between the partners to this transatlantic partnership. Or, perhaps, these differences and similarities are more borne out of different recent experiences on the global stage. As privacy is now a central component of global living, it will be interesting to see how events on the global stage have an impact on privacy, and vice versa.
The GDPR and U.S. Universities
The Future of Privacy Forum released a fantastic report in May 2020 entitled, “The General Data Protection Regulation: Analysis and Guidance for U.S. Higher Education Institutions.” As someone who has worked in U.S. university research management for over 25 years, this document was a welcomed addition covering a big sector of the U.S. economy. The author, Dr. Gabriela Zanfir – Fortuna, did an excellent job with this piece.
For those privacy professionals who work in U.S. higher education institutions, the most common university functions covered by the GDPR include: 1) The admission and enrollment of students; 2) Students studying abroad in formalized programs (for instance, “Semester Abroad” programs); 3) American universities having physical campuses outside the U.S.; 4) Online classes; 5) Alumni; and 6) Vendors.
Another area at many universities – research / grants & contracts – is not given extensive separate treatment but mention is made of the “Archiving, Scientific, and Historical Research” exception against the processing of special categories of personal data (p. 9). Research agreements requiring many students’ personal data is discussed on pp. 17 – 18.
In terms of legitimate grounds most likely applicable to U.S. universities outside the EU as controllers, the author notes these: 1) Consent; 2) Contractual Necessity (entry or performance); 3) Legitimate Interests; and 4) A Vital Interest of the Data Subject or of Someone Else (p. 18).
Whether you are new to the privacy realm or to higher education more generally, this report is a handy useful guide for technical and context reasons.
Two money-saving starting points on how to meet the requirement to assess the level of protection in third countries.
It’s been more than two weeks since CJEU announced its ‘Schrems II’ decision, introducing the requirement to evaluate legal landscape in third countries (those of data importers) and put additional safeguards in place, as necessary, – even if the data are transferred to other than USA third countries based on SCC or BCR. FAQ issued by EDPB on 23 July probably left more questions then answers.
Since then, media space has been overwhelmed with various guidances, legal digests and discussions about how to make assessment and what safeguards can be put in place.
The truth is, as of now, nobody really knows 100% workable answers. From FAQ issued by EDPB we know that “it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice”.
However, below are two tips on how begin with the assessment without engaging reputable law firms with exorbitant prices.
1. It comes from the EDPB FAQ itself – contact your data importer and ask for collaboration with regard to the assessment. E.g. require data importers to state whether public authorities in their countries are entitled to have an access to personal data and on which conditions; whether the data importers are under a legal obligation to make personal data available to public authorities for any purposes.
2. Conduct your own assessment using WP237 (‘Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees)’) issued by Working Party 29.
In this document, WP29 identified 4 Essential Guarantees to be taken into account for all data transfers to third countries:
A. Processing should be based on clear, precise and accessible rules;
B. Necessity and proportionality with regard to the legitimate objectives pursued must be demonstrated;
C. An independent oversight mechanism should exist;
D. Effective remedies need to be available to the individual.
At least two of them were used by CJEU when invalidating Privacy Shield. Are all of them respected in the country of your data importer?
Will the above work? Not really a fact. As they say, the answers are hopefully yet to come soon. At least, this can help you understand a general landscape prior to signing a legal service supply contract with a law firm.