The Privacy Community and data nerds of all stripes are still working in overdrive to understand the ramifications of the Schrems II decision given by the CJEU last month.
Here the CJEU ruled on the transfer of personal data from inside the EU to controllers and processors outside of the EU. Specifically looking at the United States and the Privacy Shield arrangement allowing free flowing data transfers between the EU and the US.
As Daragh O Brian noted in his post from 11 August 2020 in terms borrowed from Monty Python, Privacy Shield has joined the choir eternal. It is no more.
The question is what happens now as we enter a time of legal uncertainty?
The Problem with Legal Uncertainty
Just a couple of years ago in my home country of South Africa, Justice Dennis Davis became the most popular Judge in the country when he ruled that the country’s laws criminalisation Marijuana were unlawful.
As you can imagine this made some big headlines and was met with some rather enthusiastic and some very public celebrations.
There was however a big problem – Dennis was ruling on a court that didn’t have the power to make this the law of the land. This ruling would have to be ratified by the Constitutional Court. The result was a legal limbo, with many anxious South Africans desperate to know if, when and where they could light up.
Strategy A. Betting on a new normal
Driving in Cape Town a couple of weeks after Dennis’ ruling signs were up for a new Dagga Expo in a massive convention space*(Dagga being a local South African term for Marijuana.) At this point, I will disclose that knowing Dennis I could see him admiring the mischief in this approach.
One answer to Legal Uncertainty had thus been found…
For the organisers of Dagga-Con the ramifications were big. They were willing to pursue legal uncertainty Strategy A. “Betting on a New Normal”. There was money to be made for those willing to take a risk in an uncertain market. And
For entrepreneurs, start-ups, lawyers, researchers, academics, and anyone else willing to dub themself a ‘disrupter’ this provides a golden opportunity. Something significant has been torn down and the opportunity exists to build something new.
Strategy B. Betting on the Status Quo
As is natural, those with much invested in the status quo will keep betting on it maintaining its lifeforce.
In all honesty, there is something compelling to the argument that the full force of the 21st century digital economy is not about to be stopped by the decision of the CJEU.
Already the US Department of Commerce and the European Commission have issued a joint statement declaring their intent to negotiating a new arrangement to replace Privacy Shield.
And beyond Privacy Shield there is still the Standard Contractual Clauses which might be relied upon.
In a panel hosted by the IAPP last month Renzo Marchini, (Fieldfisher Privacy, Security and Information Partner) noted that the Court of Justice was careful not to strike down the SCCs in the Schrems II Case when it could have easily done so.
This seems fair enough too. So then whose approach is worth following?
Looking to the Fundamentals
When judging the likelihood of uncertain approaches, it is important to remember that not all approaches are alike.
As American polling expert Nate Silver notes there is a big difference between risk and uncertainty.
Risk…is something that you can put a price on. Say that you’ll win a poker hand unless your opponent draws to an inside straight: the chances of that happening are exactly 1 in 11.
Uncertainty, on the other hand, is risk that is hard to measure. You might have some vague awareness of the demons lurking out there. You might even be acutely concerned about them. But you have no real idea how many of them there are or when they might strike. (Silver, Nate. The Signal and the Noise: The Art and Science of Prediction)
In our case when choosing between approaches we are forced to ask ourselves whether we are dealing with something which is more like a risk or uncertainty.
Despite its association with precision , the law is still not as predictable as the odds in a poker game. At the same time, the law is not a mysterious mystical force either. We can instead return to the fundamentals of the matter.
The Deal with Privacy Shield
As Daragh has already noted there is not ambiguity on the matter “Transfers on the basis of Privacy Shield are unlawful. Full Stop.”
And despite the optimism of US Trade Commission and EC Joint statements not replacement will happen until the: “The fundamental issues of oversight and redress that the CJEU has highlighted will need to be addressed ON THE US SIDE before any deal can be finalised. That was the position in 2015, and it remains the position now.”
On this basis it might be worth looking at the innovators out there.
The Deal with SCCs
So moving onto those SCCs.
The 1995 Data Protection Directive (the predecessor to GDPR) already outlined the idea of having standard contractual clauses (SCC) which parties could use to create adequate safeguards contractually. A first set was made by the European Commission in 2001 and revised in 2004 and 2010. Although they are far from perfect.
A standard Contractual Clause is, as the name suggests, simply a part of a contract. It may be great to have a contract in place, but as Thomas Hobbes said (more or less) laws without swords are just words.
In our case you may use a verified SCC, but also find yourself unable to commit to the SCC conditions because the government you live under happens to be rather fond of its surveillance programme and would rather not interrupt it for the sake of your business deal.
Never mind gaining legal recourse as a data subject in Europe whose rights have been violated in the US. In fact, it can be incredibly difficult to even get standing in these cases. As the US Supreme Court already dismissed petitions against its surveillance regimes in 2013 by Amnesty International for lack of standing as the parties only feared a potential future harm.
Similar concerns surround data transfers to the Surveillance-enthusiastic UK once it has made its final leap out of the EU in January.
Someone needs to come up with solutions and the rewards may be very significant for the innovators, researchers, law makers or reformers out there who can make them a reality.
As for organisers of South Africa’s Cannabis Expo…it ended up expanding to close on four times the size the following year.