GDPR, the General Data Protection Regulation, was made into law in 2016 in the European Union and came into force on May 25th, 2018, immediately triggering some privacy-related litigation. Many a blogger wrote an essay on its details, and many a good consultant made a fortune helping companies implement it.
A legal collision immediately arose to accompany the shiny new EU privacy law in our beautiful global world of peace and freedom, where information can flow everywhere without boundaries.
Imagine a benign company, such as Microsoft (and note how I am carefully not mentioning the nefarious ones, such as Facebook). You are not “monetizing” your customers who think the service is free; you are just looking for a cost-effective place to store their data. And somehow, it is Ireland, a devout EU member, but on the other hand, you are prominent on the NY stock exchange.
One day, into the court comes the FBI and subpoenas some data on a hostile actor who happens to be, say, a rogue Luxembourgian. And the data is currently somewhere around Dublin. If you (Microsoft) give it up, you have just shared some personally identifiable information of an EU citizen with a foreign party. If you do not, you have just violated a perfectly legal court order and ignored a potential threat to national security.
The European Commission and the US administration made quite a few attempts to create some form of a legal framework that would resolve the collision. However, primarily thanks to one guy, Max Schrems, these measures were struck down by European courts over and over again.
Mr. Schrems, a privacy activist, runs a non-profit organization, NOYB (“None Of Your Business”). He and his organization have a couple of remarkable achievements under their proverbial belt.
The first significant case actually pre-dates the GDPR. Commonly called “Schrems I,” it is a complaint to the Irish Data Protection Commissioner about the practices of Facebook. The complaint went up to the European Court of Justice and resulted in the first U.S.-EU agreement, the Safe Harbor, being declared invalid.
On May 26th, 2018, immediately after the GDRP became effective, Schrems filed more complaints, including Google, Facebook, Amazon, Apple, Spotify, and other Big Tech American companies.
In 2020, in “Schrems II,” the ECJ stroke down the second US-EU agreement, the Privacy Shield. In both Schrems cases, the court ruled against the European Commission’s international agreement with the United States, allowing national regulators to impose fines and preliminary orders on American businesses.
The European Commission has a mechanism called the “Adequacy decision.” Under it, the privacy laws of a non-EU country are scrutinized by the EC, the European Data Protection Board, and member countries of the Union. The current list of “adequate” countries includes the United Kingdom, Israel, Canada, Argentina, Uruguay, Japan, Korea, New Zealand, Switzerland, and Andorra, but not the United States.
This means that, according to the European Union, the privacy protection measures in the US are inadequate.
The third, or perhaps the fourth, attempt to enable the free flow of European data across the ocean has been made by President Biden in his new Executive Order. The new ultimate solution to the privacy problem is called the “Trans-Atlantic Data Privacy Framework.”
Will this be the final attempt?
An adequacy decision stands on three pillars:
- Safeguarding the personal data (minimal necessary use and no 3rd party transfer)
- Transparency of use (right to know what is stored and a right to delete)
- Ability to obtain redress (independent supervision and an address for complaints).
The new Executive Order is lacking in all three departments. It primarily concerns the US intelligence community, is very scarce on transparency, and makes limited progress on independent supervision. Compare this to the Japan adequacy decision, summarized here.
It is hard to imagine how an Executive Order will come close to the high bar of GDPR Adequacy without the necessary and relatively far-reaching federal privacy legislation.
It is more likely that Mr. Schrems will score another huge win in what will be called “Schrems III.”
Considering his track record, they might as well give him a permanent seat in the court.