Virtual Shadows

The fields of privacy and data protection are fairly new areas of professional activity. Certainly the last generation+ has seen an explosion in job growth. The question naturally arises, then, as to whether individuals working in the area are happy and professionally satisfied. Do they derive professional satisfaction? Are they thriving? Is stress in the workplace too much? Are they supported by their leadership? Do they have a satisfactory work – home balance? Does job stress cause privacy pros to seek relief by turning to alcohol, drugs, and other substances? These are all critical questions that need to be asked as the areas of privacy and data protection continue to develop on a global level.

Another field, law, has been grappling with the topic of lawyer well – being for a number of years now. In fact, the topic of lawyer well – being is being addressed by a number of state bar associations in the United States. In 2017 the National Task Force on Lawyer Well – Being released a report, which was based on a 2016 survey of 13,000 practicing attorneys. That survey found that too many lawyers are not thriving. The reader is encouraged to check out this material at: https://lawyerwellbeing.net/.

I was honored to be appointed to the Wisconsin Lawyer Well – Being Task Force, which is an example of a state bar association addressing the critical importance of lawyer well – being. The 2017 National Task Force Report serves as a guide for our work in Wisconsin (for a number of years the State Bar of Wisconsin has had the Wisconsin Lawyer Assistance Program (WisLAP) but we are looking at the program consistent with the National Task Force report). While the Wisconsin Task Force has just started its work, it naturally got me thinking about the well – being of privacy professionals.

The National Task Force conceptualized a holistic approach that, in the privacy realm, begins with the question: How should we define well – being for privacy professionals?

This holistic approach, courtesy of the National Task Force, considers the following dimensions:

• Emotional: Value emotions. Develop ability to identify and manage our emotions to support mental health, achieve goals, and inform decisions. Seek help for mental health when needed.

• Intellectual: Engage in continuous learning. Pursue creative or intellectually challenging activities that foster ongoing development. Monitor cognitive wellness.

• Occupational: Cultivate personal satisfaction, growth, and enrichment in work. Strive to maintain financial stability.

• Physical: Strive for regular activity, good diet & nutrition, enough sleep, and recovery. Limit addictive substances. Seek help for physical health when needed.

• Spiritual: Develop a sense of meaningfulness and purpose in all aspects of life.

• Social: Develop connections, a sense of belonging, and a reliable support network. Contribute to groups and communities.

This is an impressive list. At one level, the reader will think they are generic enough to apply to any occupation or field. But, what unique dimensions may be teased out for the areas of privacy and data protection?

One common fact situation that I see discussed on social media platforms is when data protection officers (DPOs) are not fully supported by company leadership and / or not being fully integrated into the culture of the company / entity / institution. These problems, in a generic sense, are common to other jobs and areas in the professional world. But, the difference is that the modern world of privacy and data protection is slightly more than one generation old and are coupled with rapid technological development and change. That combination makes privacy + data protection a bit unique at this space in time. And given the way things are right now in the world, change will not be slowing down anytime soon.

So, the discussion comes back to enhancing the well – being of privacy professionals. What can companies and institutions do to enhance their well – being? What can professional associations do? How may a holistic approach be applied so that privacy and data protection professionals thrive?

This post is, for me and hopefully others, the start of a larger discussion about enhancing the well – being of privacy professionals. I’m sold on the holistic approach, but the key is making sure that any approach meets the needs of the target audience. These are exciting times for privacy professionals, and their well – being is a critical component to facilitate their success.

We said it to ourselves, and we heard it repeated many times, that this year 2020 will certainly have no place in the annals as a lucky year. The beginning of this new decade has seen the life or at best the activity of many of us bending due to the pandemic crisis caused by the Coronavirus, which, among others, has also led to the closure of every border between countries. But while none of us could physically move, thanks to the current state of technology we had the chance to experience the “power of ubiquity” that allows us to sit in our European living rooms and be virtually to the other side of the ocean through our personal data.

But 2020 didn’t wait before it surprised us again, and so just when our physical borders were beginning to slowly reopen, on 16 July the Court of Justice of the European Union (“CJEU”) effectively declared invalid one of the main transatlantic data transfer corridors, by invalidating Decision 2016/1250 on the adequacy of protection provided by the “EU-US Privacy Shield.” Consequently, international data transfers, which are so vital for the global economy, suddenly became open to question: the CJEU has confirmed that EU standards of data protection must travel with the data when it goes overseas, which means that Case C-311/18 – Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (known as “Schrems II”), has wider implications than just the invalidation of the EU-US Privacy Shield (see UK Information’s Commissioner Office, Updated ICO statement on the judgment of the European Court of Justice in the Schrems II case, 27^th July 2020 https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/07/updated-ico-statement-on-the-judgment-of-the-european-court-of-justice-in-the-schrems-ii-case/). Besides invalidating Privacy Shield, the Court examined the validity of the European Commission Decision 2010/87/EC on Standard Contractual Clauses (“SCCs”) and considered it to be valid. Schrems II is a judgment that confirms the importance of safeguards for personal data transferred out of the EU.

This article digs into the interplay between the decision on the validity of one route (SCCs) and the invalidity of the other (Privacy Shield) from both the European and American points of view.

Question 1: What do you think is the most interesting aspect of Schrems II with respect to the Privacy Shield discussion?

European Perspective: As I further explain in my answer to question 4, the aspect which in my opinion equals in interest to the one identified by my colleague Jim, is the position of the Court with regard to the two decisions which are concerned here: the ‘Privacy Shield’ adequacy decision and the European Commission decision on standard contractual clauses. On the one hand, the Court found that the requirements of US domestic law entail restrictions on the protection of personal data which are not designed to meet requirements substantially equivalent to those of EU law and that such legislation doesn’t grant data subjects enforceable rights vis-à-vis the US authorities, thus invalidating the adequacy decision “Privacy Shield.” On the other hand, however, the court confirmed the validity of the so-called standard contractual clauses which, de facto, recognize the burden and the honour of the parties to establish the adequacy of the transfer but in the light of the arguments that led to the invalidation of the decision on Privacy Shield.

American Perspective: The most intriguing aspect of the case from my perspective was the Court’s factual findings of U.S. law. Several of the broad themes I see impacting on that discussion are the  increase in the U.S. surveillance state since the 9/11 attack and the fact that the U.S. political system is a representative democracy coupled with concepts of federalism (where the federal and state governments have fairly delineated rights and responsibilities). The current president, unlike most recent ones, has a broad conception of the scope of executive power. That is not an item that is endearing to most Europeans.

It is imperative that a balance be found between the European conception of privacy as a fundamental human right, and the need for some measure of a surveillance state (in the U.S. and Europe). There is a fundamental tension between a privacy right and the proper need for some surveillance. Given the large volume of data flows between Europe and the United States and given the large amount of transatlantic trade between the two partners, it is imperative that an accommodation be found between both “partners.” That last word needs to be remembered and acted upon by U.S. and EU leaders.

And one final note. In this time of the pandemic, it is even more important to maintain transatlantic data flows in the areas of individual health information and public health information.

Question 2: Given the basic governmental structures of the EU and the U.S., do you think that enough changes can be made to the U.S. intelligence and law enforcement functions to allow for the necessary protection of EU personal data?

European Perspective: As I’ve already said to my colleague Jim, I’m not in the position to discuss American law, but what I could say it’s that dialogues like this one, but at higher levels, are needed to ensure efficient interaction between countries with different backgrounds but which have similar perspectives. In times like this one where the economy is global and based upon Big Data, I believe these two important partners have, or should have, similar perspectives.

American Perspective: It will take some time for U.S. changes to be made. I say that primarily because of the upcoming U.S. elections. With the pandemic and social issues taking precedence, I find it hard to see any legislative changes happening this Fall. On top of that, President Trump has now positioned himself as the “law and order” president. While he strongly compliments the military and local law enforcement, he has shown a tendency to undercut the U.S. intelligence agencies. But I do not think the latter is enough for him to take executive action on data protection in the context of the activities of the intelligence agencies and federal law enforcement. But he could surprise us. He always does.

Question 3: It is clear from the court opinion that SCCs are valid, but are on “thin ice.” What are your thoughts on improving the SCCs so that they exist on stronger legal ground?

European Perspective: The core of this question recalls my answer to the first one too. In fact, I believe this is one of the most interesting, as well as confusing, points which the Court touched on within its judgement. “SCCs confer only contractual rights on data subjects against the data exporter and importer, without, however, binding the United States authorities.”, and this constitutes the perimeter of that “thin ice” where the SCCs laid down, at the moment not supported by the suggestion of any additional measure able to guarantee an effective protection by the American data importer of Europeans’ data and / or any perspective of legislative changes in US law. In particular, the Court notes that the SCCs impose an obligation on the data exporter and the recipient of the data (“the data importer”) to verify, prior to any transfer, in the light of the circumstances of that transfer, whether that level of protection is respected in the third country concerned. Given that, we can only wait for the EDPB to give guidance on how these guarantees can be provided by the importer which falls within the definition of “electronic communication service provider” which outlines the scope of Section 702 FISA, in order for it to receive data from EU partners without contravening local law.

American Perspective: I look forward to the European Commission releasing upgraded SCCs. As someone who has negotiated several thousand contracts in my career – many global – I have always had a dim view of “standard contracts,” because many need to be negotiated to fit the particular circumstances of the parties and subject matter. The current SCCs are critical to the European privacy regime and they are necessary (along with other tools) to protect European data protection rights. These are exciting times to be a contract professional.

Question 4: The U.S. Ombudsman, established to help EU citizens, was faulted by the CJEU for having insufficient authority over U.S. intelligence and law enforcement agencies. What are your thoughts about that component of the decision?

European Perspective: I like to believe that in this judgment European citizens were regarded as individuals rather than as citizens of a certain country. It is therefore the underlying concern about human rights and cultural protection that in my opinion has stimulated this very CJEU’s reaction to American government interference on European citizens’ data. For this reason, issues relating to national security and access to personal data by public authorities must be provided for by law and this law must lay down precise limitations to access to data by authorities, as well as clear and precise rules governing the measures able to ensure ‘effective and enforceable rights of data subjects.’

American Perspective: The Ombudsman role is a useful and necessary one. I would love to see that role exist in the next U.S. – EU agreement. Perhaps the U.S. needs a specialized Privacy Court. For instance, there is a U.S. Tax Court – so there is precedent. But that possibility needs an overarching U.S. Privacy Law, clearer articulation of a U.S. privacy right, and the money and political will to make a specialized court a reality.

Question 5: This decision illustrates the tension between the right to privacy and the role of intelligence and law enforcement agencies in a global economy. Considering the opinion, how is that balance best met?

European Perspective: Whenever I’m faced with a balance between different rights or interests, I feel grateful for the great Charter that the constituent fathers of my country (Italy) gave birth to in 1947, thus giving us the most important lesson on balancing fundamental principles: these principles, depending on the context, do not eclipse one another, but they always coexist in different declensions. And this is how I believe it must be between the right to privacy and the public security, as a prerogative of intelligence and law enforcement agencies, within an economic system that is now global. The only duty to guarantee public security and public order, at any level, cannot allow any kind of intrusion by government authorities, thus contradicting the principle of proportion, which is at the basis of the rationality that informs the principle of equality.

American Perspective: The tri – sector tension as articulated (right to privacy, role of intelligence and law enforcement agencies, and a global economy with massive data flows) is the most fascinating aspect of privacy (well, next to the clear articulation of “rights” in both the U.S. and EU). I believe that all three tensions may be managed (though probably not always eliminated) within the context of global economic growth. Post – pandemic, both the U.S. and EU need a long period of economic growth to get out of this hole we find ourselves in. The “pie” needs to grow. If it does not, there will continue to be economic and social unrest. But yes, I believe that privacy, security, and economic growth can exist concurrently. How that comes about is not clear at the moment.

Conclusion

Our conversation regarding the Schrems II decision and the way forward illustrates, in a small way, the similarities and differences between the partners to this transatlantic partnership. Or, perhaps, these differences and similarities are more borne out of different recent experiences on the global stage. As privacy is now a central component of global living, it will be interesting to see how events on the global stage have an impact on privacy, and vice versa.

The Future of Privacy Forum released a fantastic report in May 2020 entitled, “The General Data Protection Regulation: Analysis and Guidance for U.S. Higher Education Institutions.” As someone who has worked in U.S. university research management for over 25 years, this document was a welcomed addition covering a big sector of the U.S. economy. The author, Dr. Gabriela Zanfir – Fortuna, did an excellent job with this piece.

For those privacy professionals who work in U.S. higher education institutions, the most common university functions covered by the GDPR include: 1) The admission and enrollment of students; 2) Students studying abroad in formalized programs (for instance, “Semester Abroad” programs); 3) American universities having physical campuses outside the U.S.; 4) Online classes; 5) Alumni; and 6) Vendors.

Another area at many universities – research / grants & contracts – is not given extensive separate treatment but mention is made of the “Archiving, Scientific, and Historical Research” exception against the processing of special categories of personal data (p. 9). Research agreements requiring many students’ personal data is discussed on pp. 17 – 18.

In terms of legitimate grounds most likely applicable to U.S. universities outside the EU as controllers, the author notes these: 1) Consent; 2) Contractual Necessity (entry or performance); 3) Legitimate Interests; and 4) A Vital Interest of the Data Subject or of Someone Else (p. 18).

Whether you are new to the privacy realm or to higher education more generally, this report is a handy useful guide for technical and context reasons.

It’s been more than two weeks since CJEU announced its ‘Schrems II’ decision, introducing the requirement to evaluate legal landscape in third countries (those of data importers) and put additional safeguards in place, as necessary, – even if the data are transferred to other than USA third countries based on SCC or BCR. FAQ issued by EDPB on 23 July probably left more questions then answers.

Since then, media space has been overwhelmed with various guidances, legal digests and discussions about how to make assessment and what safeguards can be put in place.

The truth is, as of now, nobody really knows 100% workable answers. From FAQ issued by EDPB we know that “it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice”. 

However, below are two tips on how begin with the assessment without engaging reputable law firms with exorbitant prices.

1. It comes from the EDPB FAQ itself – contact your data importer and ask for collaboration with regard to the assessment. E.g. require data importers to state whether public authorities in their countries are entitled to have an access to personal data and on which conditions; whether the data importers are under a legal obligation to make personal data available to public authorities for any purposes.

2. Conduct your own assessment using WP237 (‘Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees)’) issued by Working Party 29.

In this document, WP29 identified 4 Essential Guarantees to be taken into account for all data transfers to third countries:

A. Processing should be based on clear, precise and accessible rules;

B. Necessity and proportionality with regard to the legitimate objectives pursued must be demonstrated;

C. An independent oversight mechanism should exist;

D. Effective remedies need to be available to the individual.

At least two of them were used by CJEU when invalidating Privacy Shield. Are all of them respected in the country of your data importer?

Will the above work? Not really a fact. As they say, the answers are hopefully yet to come soon. At least, this can help you understand a general landscape prior to signing a legal service supply contract with a law firm. 

EEGG focuses on governmental measures aimed at surveillance, interception of communications, access to personal data and storage thereof by public authorities in different countries.

EEGG provides non-binding assessment by expert contributors worldwide of compliance with ‘European Essential Guaranties’ (summarized by the Working Party 29, the European Data Protection Board predecessor) and subsequent European Court of Human Rights case law.

The link is below:

https://www.essentialguarantees.com

As you may note, some countries are still waiting for their expert contributors, so feel free to join the project and contribute!

Given the recent CJEU decision in Schrems II with respect to standard contractual clauses (SCCs), it struck me as a good time to revisit best practices in contract negotiation. The suggestions below are the result of 18+ years’ negotiating contracts in law, local government, and academia, including many with colleagues in Europe and beyond.

Whether these suggestions apply to your particular role in the privacy universe, especially in light of the Schrems II decision, I will leave that up to you. So, these practical suggestions and observations *may* be applicable in the privacy realm, but they are certainly applicable in the larger professional world. These are presented in no particular order of importance:

1. Gather as much information from your negotiating partner as early in the negotiation as possible.
2. Avoid using texts and certain software programs such as WhatsApp to negotiate, except in rare / emergency situations.
3. Have an Offer – Concession Strategy: What is important to your organization or company? What are you willing to compromise on and what are non – negotiable issues?
4. Do more listening than talking. TRULY LISTEN.
5. Negotiate for the long term. Build a long term relationship, if that is what both parties want. You never know what the future will bring.
6. The parties’ missions should mesh together. That builds long – term partnerships. No meshing of missions = less chance of success.
7. Have empathy for your negotiating partner. Understand where they are coming from and then work toward to a mutually satisfying result. This is even more important given the pandemic.

Utilize these in your negotiations – including in privacy – related matters – and you are in good stead for the future. Remember, contract negotiation is art + science, so you need both the technical skills / aptitude AND the interpersonal skills to work in a civil manner with your colleague(s).

One last point. Contract professionals need to be flexible. This was quite true before the pandemic, and it is even more important given the pandemic and the uncertainty unleashed by Schrems II. We are in uncertain times for several reasons, but I suspect that privacy professionals will rise to the occasion when it comes to SCCs and contract negotiation.

Much has been written about the Schrems II case since its publication 9 days ago. Rather than simply repeat what many others have said on various privacy sites, I want to provide my own take on it within the broader context of what is going on in the world today.

While Schrems II invalidated the EU – US Privacy Shield, the decision cannot help but have implications for other countries throughout the world. What happens when European personal data flows to countries where government commitment and judicial systems are not strong enough to enforce EU personal data protections?

As an experienced contract negotiator & attorney, I have always been fascinated with standard contract clauses – regardless of the subject matter. The evolution of the European Commission SCCs remains a subject of high interest.

With regards to the EU – United States relationship, it is important to remember that there is $7.1B USD of annual trade between the two partners. It is my hope (and confidence) that adjustments may be made on the U.S. side so that this mutually important relationship remains strong and prosperous. Sometimes it helps to be reminded that Europeans and Americans have more in common than in difference.

The pandemic and the situation in Hong Kong may yet play out in ways that many people in Europe and America cannot predict presently.

I close by saying that these are exciting times to be an ethical privacy practitioner, whether in Europe, America, or beyond, and the best way to add value to governments, businesses, and clients of all stripes is through continual and thoughtful professional development.