A US update on the TikTok saga

As you know Trump tried to ban TikTok from the US, and a compromise was reached with TikTok that US user data would only be stored in US data-centers. Sounds a bit similar to the Irish ruling in 2020. What I am thinking is that US intelligence have the power/mandate to access data of EU data subjects under FISA 702, so what if China have something similar?

Anyhow despite my speculations, there is a new development. It seems that biometric data may or will be collected by TikTok, as it stands now, only US TikTok users, although consent will be required. Apparently it seems that now all US states require consent for the collection of biometric data!

But what about all the underage users? There is a law which mandates parental consent (of minors) in the US. A significant number of TikTok users are minors, and the mind boggles when it comes to the collection of biometric data of minors…..how aware are the parents. More and more I am coming to the view that TikTok should be banned…. even though my daughter is a user, and the fun and benefits are boundless.

Mailchimp is out, even if…..

I am pretty creative when it comes to taking the GDPR legal stuff and working out how to make it work in practice. No business/organisation should hit a wall of what I call ‘GDPR paralysis’ because of something legal which prevents a business from functioning. Our livelihood depends upon a working economy and a healthy GNP. In fact if we didn’t have this, human rights starts to become problematic, because if we as private people do not have access to jobs we lose something which is the most important word in IMHO, and that is CHOICE.

Whenever I am presented with a stop, i.e. “no can’t do”, it is an opportunity to think new. Schrems II is one such example. I did not see it as a stop on international transfers over to the US. It just meant we needed increase diligence, document all and do those Transfer Impact Assessments (TIA) so we understand risks to the rights and freedoms of the natural person. Identify supplementary measures. We need to be realistic.

However, I must admit that the latest decision on Mailchimp in Germany is a show-stopper. From what I’ve dug out, it is only email addresses used in a mailing campaign which was in scope of the international transfer. Risk to the rights and freedoms of the natural person is zero/negligible. Yet due to indications that Mailchimp may in principle be subject to data access by US intelligence services on the basis of the US legal provision FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be lawful if such additional measures (if possible and sufficient to remediate the problem) were taken. “

My take on this previously was to assess risk to the rights and freedoms of the individual, however, now this approach has been kicked out, ignored. I wonder where is the logic, the balance in this decision? Clearly if Mailchimp was being used to send out marketing communications from a Sex Shop, or from a specialist group around a health condition, I could understand this… but an email address used in a standard non-personal communication?

I am wondering which monkey was behind this decision, or am I missing something?

An open letter to the CJEU from L

Read a view of the Schrems’ decisions from the other side of the great pond, in the U.S. I found this to be an informative, serious but fun read through the spectacles of Lydia F de la Torre, EU & US Counsel (Spain/California) and a lecturer of Privacy Law at Santa Clara University School of Law. Grab a coffee, it is long and its climax is an open letter to the CJEU which I’ve copied below 🙂

Everyone knows the story of the Privacy Shield. Or at least they think they do. But, I’ll let you in on a little secret. Nobody knows the real story, because nobody has ever heard my version of it. I am a lecturer at Santa Clara Law. You can call me L.

The blogpost by Lydia covers the Schrems I and II saga. From reading this I gained some insight which I hadn’t really bothered to dig into earlier, but I am not alone in this. One example is Schrems I resulted in the fall of Safe Habor, we all know this, but what is not common knowledge, is that it seems that even Max himself was unaware that Facebook were using SCCs, if he’d known earlier there would have been no Schrems II because it would have been taken at the beginning.

You really should read the complete Post from Lydia, it is actually entertaining 😉

To: The Court of Justice of the European Union (Grand Chamber)

In regards: Overdue homework

Dear Grand Chamber:

I have been waiting for years for you to give us a hint as to what is the essence of the european right to data protection.

I know you know the right to a private life and the right to data protection are two different rights, but I am starting to suspect you can’t tell them apart as you keep citing to them as if they were twins.

And that is a scary proposition, since the ECtHR is not going to steal your thunder because the European Convention of Human Rights (that the ECtHR has the authority to adjudicate on) does not recognize a right to data protection.

Perhaps reading member state caselaw on the right to data protection could get your creative juices flowing? Jurisprudence under Article 35 of the Portuguese Constitution or Article 18(4) of the Spanish Constitution? How about the German classics on Recht auf informationelle Selbstbestimmung?

And yes, I know you are not bound to follow preceding from the Constitutional Courts of Member States.

But let’s be honest.

You can’t claim copyright over the EU Charter of Fundamental Rights either. We all know the Charter it is just a compilation of the rights granted on Europeans, initially, by Member State law.

So please, do your homework next time you rule on a GDPR case and hand down something that tells us what the core of the European right to data protection exactly is. Is data localization absent essential equivalence for a cross-border transfer part of it? If Privacy Shield had passed muster from a privacy perspective, would a violation of Article 47 of the Charter (since the Ombudsperson did not equate to a tribunal within the meaning) trigger a violation of the fundamental right to data protection under Article 8.3of the Charter?

Looking forward hearing from you soon.



In the Privacy Shield storm -practical advice

I am and still attending a great session hosted by the IAPP on the Schrems II decision and Privacy Shield consequence, i.e. it is no longer a legal mechanism for data transfer from the EU to the US.

Miriam Wegmeister was a great panelist and gave some great insights, very practical and cool lady!

Practical steps as follows:

  • There were some revised SCCs drafted even before this decision which can be used.
  • Look at other mechanisms, e.g. transfers subject to appropriate safeguards (Article 46). What jumps out at me are (e) Code of Conduct, and (f) Certification.
  • Art 49 normally only to be used in exceptional circumstances, maybe the Commission can relax on this. Art 49 is derogations for international transfers, my favourite (not) legal subject. It makes sense, as it is similar to Art 6, with some variations.

The decision is that Privacy Shield is not legal anymore, stop, no grace period, however looking at the UK Information Commissioner website and voila, they are recommending to “continue using Privacy Shield until new guidance becomes available” but do not start using Privacy Shield.

Yes, I’m angry about the Schrems II decision!

Why the hell should a devote privacy and GDPR advocate be angry about this decision, after all it’s good for privacy is it not?

Yes decision is correct, but also no.

Clearly Facebook is a scapegoat, twice now with Schrems I and II. But now we are in limbo again! The fact is that even if the large businesses have heaps of money to bring in an army of legal professionals to replace all Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs), which may or may not work. The Small Medium Business (SMB) do not have this luxury.

Apart from the large businesses, I work with quite a lot of SMBs, and I can tell you exactly how they feel in a single word…. confused in two words confused and hopeless. Most have yet to do their work for GDPR compliance, and those which have, may have done an initial effort in 2018, but have since done nothing.

What makes me angry is that now in 2020, some of these are calling me in because I have created some low-cost tools which help them to help themselves. They are making the effort, but they are in main, using cloud providers from the U.S., and there was a simple remediation, to check that the business was Privacy Shield certified. I had a cheat list of all most common cloud services, if the business wasn’t listed, my recommendation was to move to another which was. And so it was cheap and easy for them to fix themselves, without paying me my expensive hourly consulting rate.

So now all these SMBs have nothing, again. And yes I’m angry, because I was starting to get some traction in the SMB market. My speciality is making this legal stuff doable for any businesses, it’s not rocket science, But now it’s quite ridiculous, there is no way I will instruct every SMB to stop using all U.S. cloud services, they will kick me out. In fact the low-cost GDPR tools I have created are based on U.S. services, and they can’t be moved. There is nothing equivalent in the EU. It feels unfair to the SMB, they are getting the GDPR thing, and how it is good for business. Together, my small business and my customers were starting to make great progress.

It is not only my opinion that the SMB is critical for a functioning society, although maybe it is just mine that it is the SMB which will suffer most from this judgement?

Okay, sorry for this rant. I’m feeling a bit like Ms Angry, but now I’m done 😉

Image taken from https://www.bbc.co.uk/programmes/p05g2zz1.

Privacy, Civics, the STEM Disciplines, and the Future

By James Casey, Esq., CPP

The recent passage of Resolution 108 at the ABA House of Delegates meeting in Austin, Texas, presented a wonderful opportunity to speak again to the importance of Civics in American life. Supported by the Standing Committee on Election Law, Section of Civil Rights and Social Justice, Standing Committee on Public Education, Section of State and Local Government Law, and the Law Student Division, the Resolution urges all levels of government to facilitate the preregistration of voting by youth between the ages of 16 and 18. This preregistration will lead to increased youth voting in elections at all levels, but it is critical that Civics education be significantly increased in schools to facilitate informed voting. Two paragraphs in Resolution 108 are most important:

FURTHER RESOLVED, That the American Bar Association urges state and local educational institutions to adopt robust civic education programs to promote literacy in the institutions of American government, the methods of active civic participation in elections and governance, and a solid foundational understanding of the role and crucial importance of the rule of law; and

FURTHER RESOLVED, That the American Bar Association urges federal, state, local, territorial, and tribal governments to enact legislation, promulgate regulations, and appropriate sufficient funds to implement voter preregistration and civics education as called for by this resolution.

The Connection Between Privacy, Civics, STEM, and Innovation

You may be asking yourself at this point: What is the connection between Privacy, Civics, and the STEM disciplines (Science, Technology, Engineering, Mathematics)? There are a few important connections that may be named now: 1) STEM disciplines are at the forefront of technological initiatives to enhance privacy protection (regardless of the country); 2) An educated public (and youth particularly) about Civics and government also means an educated public when it comes to privacy and data protection; 3) Academic institutions conduct research into areas such as AI (artificial intelligence), which will transfer into privacy issues and strengthen the classroom experience; 4) Privacy and data protection in the future will increasingly adopt scientific improvements, which are often developed in universities; and 5) Privacy and data protection are interdisciplinary areas, just like Civics and the “hard sciences” (STEM). To the author, these areas are highly complementary. These connections will be amplified in a future blog post.

The importance of Civics education in the nation’s schools goes beyond enhanced voting. The next section addresses the STEM disciplines, innovation, and how Civics education is just as important as STEM education. Similarly, Privacy education is equal to the education required in Civics and STEM.

The STEM Disciplines and Innovation
Alan Leshner’s well written editorial in the 27 May 2011 issue of Science Magazine, entitled “Innovation Needs Novel Thinking,” highlights the important linkages between the STEM disciplines and innovation in ensuring that the American economy remains at the forefront of global economic growth. This section of his editorial struck me as vitally important:

In addition, innovation often comes from nontraditional thinking, and many new ideas will come from new participants in science and engineering who often are less tied to traditional ways. That argues for increasing the diversity of the scientific human resource pool, adding more women, minority, and disabled scientists, as well as researchers from smaller and less-well-known institutions. The benefits of increasing diversity by fostering innovation and economic success have been argued well elsewhere (see citation in original article). Both research institutions and funders need to attend more to these sources of novel thinking and may have to refine recruitment, reward, and funding systems accordingly (Leshner, p. 1009).

The ideas he outlined in his editorial, furthermore, can find a kinship with points made by Federal Reserve Chairman Ben S. Bernanke in his speech entitled “Promoting Research and Development: The Government’s Role,” given at Georgetown University on 16 May 2011. As Mr. Bernanke says on pages 10-11 of his speech:

… At the same time, critics of K-12 education in the United States have long argued that not enough is being done to encourage and support student interest in science and mathematics. Taken together, these trends suggest that more could be done to increase the number of U.S. students entering scientific and engineering professions.

The commentary by Mr. Bernanke and Mr. Leshner are absolutely on point. The United States needs increasing numbers of graduates who are skilled in the STEM disciplines if it is to remain a dominant economic power. But that objective is only part of the goal of increasing innovation and economic wealth. The innovation environment needs to be expanded beyond STEM.

Expanding the Context of Innovation

While focusing on the STEM disciplines is a meritorious approach to increasing innovation and wealth creation in the United States, it does not cover the entire universe of what is necessary to create an innovation society. Attention to non-STEM areas – such as Civics – is critical to creating an innovation society. Civics is the broad area encompassing such disciplines as history, law, and political science. An educated and engaged citizenry is critical to the creation of an innovation economy in the United States. And advances in privacy are critical to an innovation economy anywhere in the world.

One can find the genesis of law and innovation in the U.S. Constitution. Article I, Section 8, Clause 8, of the Constitution empowers the U.S. Congress to:

To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.

This clause serves as the constitutional bedrock for U.S. intellectual property law. This is the first clue that technology and innovation is not solely a STEM concern.

The May 2011 issue of the ABA Journal discusses these issues in an excellent article entitled, “Flunking Civics: Why America’s Kids Know So Little.”[i] The article says the following with regards to a focus on certain disciplines (p. 34):

Since the late 1990s, when American students tested poorly in reading, science and math against students from 20 other Western nations, federal education policy has focused strongly on those three subjects at the expense of history, social studies, government and civics.

That trend began in 2001 with the Bush Administration’s landmark No Child Left Behind Act, which gives priority to federal funding for efforts to improve student performance in reading and math, skills that are considered fundamental to student success in the workplace. The program continued under the Obama Administration’s support for so-called STEM programs, which rewarded student achievement in the fields of science, technology, engineering and math.

Educators fear that this long-range focus on a few limited subjects that are considered fundamental to student success is squeezing out the amount of time and effort devoted to subjects considered non-fundamental, such as history, social science, government and civics.

This concern over the “squeezing out” of non-STEM subjects is matched by documented evidence that U.S. students and adults have a very poor grasp of law, history, or government, all of which are considered essential for civic engagement. The ABA Journal article (p. 34) notes that a 2005 survey by the ABA found that nearly half of all Americans were unable to correctly identify the three branches of government, and a FindLaw survey that same year found that only 57% of Americans could name any U.S. Supreme Court justice. Retired U.S. Supreme Court Justice Sandra Day O’Connor is quoted in the article as saying (p. 37):

There are all kinds of polls out there showing that barely one out of three Americans can name the three branches of government, let alone describe what they do.

If the polls are correct in large measure, meaning that most Americans are illiterate when it comes to their government and what it does, how can they function and benefit in an innovation economy? There is more to government than releasing funds to beneficiaries.

The American Bar Association has long had a significant interest in civics education. As noted in the ABA Journal article (p. 37), the ABA Commission on Civic Education in the Nation’s Schools is co-sponsoring a series of academic events around the country where community leaders can teach students about the law, the Constitution, and the importance of civic engagement. The Commission has supported these activities with other resources, such as a resource guide and a website where law schools, courts, civic organizations, and other organizations interested in sponsoring such a forum can find suggested curriculum, formats, lesson plans, strategies, and other information (p. 37).

The Connection Between Civics, Voting, and Innovation

It is easy to design a high school or undergraduate course drawing the connection between civics, voting and innovation. This includes such topics as: 1) Why it is important that Civics be taught in grade and high schools and why it is important for the rule of law; 2) The constitutional basis of copyrights and patents in the U.S. (Article I, Section 8, Clause 8); 3) The history of inventions in the United States, particularly those of significance; 4) Basic STEM dimensions that bear upon innovation today; 5) The major laws and regulations impacting innovation today; 6) Current issues in innovation; and 7) The future of innovation.

This approach – tailored for a specific educational level – would help engage all students in the concepts of innovation and raise the level of civic engagement in the area of innovation. Such a course would educate all, not just students engaged in the STEM disciplines or majoring in those areas.


A strong Civics curriculum at the grade, high school, and college levels would benefit America in several ways.

As exemplified by ABA Resolution 108, a robust dedication to teaching Civics at all levels, coupled with voter preregistration between the ages of 16 and 18, would lead to increased and informed youth voting. American democracy is strengthened by these improvements. There is more to American democracy than the internet, Facebook, and Twitter. Students must be well versed in American history, law, politics, and Civic engagement. Privacy and data protection are strengthened by having educated youth and an engaged citizenry.

An American citizenry educated in Civics and STEM (or STEAM as the new acronym – adding Arts) will also go a long way to creating a culture of innovation. If America truly wants an innovation society that creates wealth for all its people, then the education of America’s youth will have to go far beyond the STEM disciplines. Privacy is a critical component in that education. Students will learn that true innovation in the United States stems from democracy and a largely capitalist economic system. Increased Privacy and Civics education, increased voting, and increased STEM education will lead to continued American success in a global economy.

The current pandemic is a time of monumental change, sadness, and uncertainty. Despite those characteristics, it is also a time of great opportunity, with Privacy at the forefront.


James Casey, Esq., CPP, is an attorney, certified privacy practitioner (CPP), and consultant based in Washington, DC. He is also an Adjunct Associate Professor in the CUNY M.S. Program in Research Administration and Compliance. He is presently a State Bar of Wisconsin representative to the ABA House of Delegates and holds several positions within the ABA Science and Technology Law Section. He is a past president of the State Bar of Wisconsin Nonresident Lawyers Division and is a Life Fellow of the Wisconsin Law Foundation and a Fellow of the American Bar Foundation. The opinions expressed in this article are solely his.

[i] Mark Hansen, “Flunking Civics: Why America’s Kids Know So Little.” ABA Journal, May 2011, pp. 32-37.

Safe Habor, so what now?

I’ve been asked this question more than once, funnily enough. The fact is that even the Safe Habor experts don’t have concrete answers 😉

Noh-MasksBasically it’s business as usual until some way forward is found. For those companies that are following Safe Habor practices today and tomorrow, they will not going to be penalized for this. It’s not their fault that what was considered legal last week is not this week!

There is a revised Safe Habor that has been worked on for a couple of years now which includes the restriction on U.S. government (intelligence) access to personal data of non-Americans, but it has not been finalized yet. From what I understand, it is not agreed precisely because the U.S. want this exact point removed, which is exactly the motivation of the ruling on Safe Habor! I guess the EU and U.S. must fix this now.
I can imagine that Binding Corporate Rules (BCRs) will gain a new momentum from hereon. However this is significant work for any company working across legal jurisdictions, and today it is only some of the really large global corporations who have BCRs in place and working.

s.215 Patriot Act is due for renewal in June 2015

And you have a chance to do something to stop the indiscriminate surveillance practices used by the U.S. government agencies. It seems that the Act that was created in a single month has one part that is being abused and this is section 215. To find out more check here.

Stop 215 (video)

Even if you are not living in the United States, or you are not American, you can still do something. You know that government intelligent agencies all over the world are sharing your personal information with NSA. We are all a part of this mass surveillance program. I sent out some pre-defined Twitters from my virtual shadows handle. Find the ones I used here.