Privacy, Technology and Perspective
A New Way to Move Data from the EU to the US: The European Commission has adopted an updated version of the Standard Contractual Clauses (SCCs), which are designed to facilitate data transfers from the European Economic Area (EEA) to non-EEA countries (known as “third countries”). Click on the following link for a good overview:
Generally, the new SCCs align with the European Union’s General Data Protection Regulation of 2018 (GDPR), setting out appropriate safeguards including enforceable data subject rights and effective legal remedies.
Here is a link to a website with a downloadable version of the new SCCs:
“I run a business. What’s this all about? How can I understand it, without specializing in privacy or at least having a law degree?”
The point of Europe’s 2018 GDPR is to force companies doing business in Europe – or doing business with Europeans, wherever they roam – to take as seriously as they do their fundamental right to privacy, which Europe established for itself in the smoking rubble of World War II.
Shorn of its complexities, bureau-speak, and exceptions, this means that businesses “processing” Europeans’ personal information must handle it with care, since it belongs to those individuals (called “data subjects”), not you. It means no tracking, stalking, surveilling, or selling data harvests to others without those data subjects’ permission. It means not using the data for purposes the data subjects don’t know about or haven’t approved. It means keeping the data reasonably secure and deleting it when it’s no longer needed for what they intended. And it means allowing the data subjects effective redress – against private businesses or the government – when their rights are infringed.
In short, the GDPR means that the price of doing business with Europeans includes letting those individuals bring along with them a little piece of European sovereignty, wherever they (or their data) roam – even here.
For many countries, this isn’t really a problem because those countries already provide similar protections for their own citizens, as a matter of their own sovereignty. The European Commission deems these countries “adequate” in this respect.
But the United States is pointedly not among this group. To be described as “inadequate” about anything grates on American ears, but here, so far as Europeans are concerned, “inadequate” is “precisement le mot juste.” Why? Because the fundamental, constitutional protections of the American people — our unparalleled First Amendment, which wholly protects our personal thoughts, political views, religious devotions, racial or credal identities, union membership and so on; our shining Fourth and Due Process Amendments, which are beacons to the world of how a people may protect themselves from abuse by their own governments’ police and security powers – apply generally only to Americans, and not to Europeans or other foreigners.
The problem has smoldered and flared over the Atlantic for many years, driven by growing European frustration by Big Tech’s indifferent hoovering up of European data for free-wheeling use in the American style, and growing European rage over U.S. intelligence services’ unrestrained, clandestine monitoring of European communications in ways and breadths that would never be tolerated against Americans. Efforts to accommodate both sides of the pond have varied. Years ago there was an agreed “safe harbor” of conduct under which U.S. businesses could obtain Europeans’ personal data; but compliance (never great) weakened in the wake of 9/11 and the “safe harbor” was disallowed in the Schrems I case, to be replaced by the “Privacy Shield” regime, itself disallowed recently in Schrems II.
In response to the decision in Schrems II, the European Commission has now amended the GDPR’s Standard Contractual Clauses to require businesses in countries it deems “inadequate” (read: American businesses) to subject themselves to yet stricter requirements and compliance. This means businesses must weigh the benefits of European commerce (which no longer include the value of unlimited European personal information) against the compliance costs, risks, and liabilities of the new SCCs. And since even the new SCCs won’t limit U.S. intelligence services in any way, it would probably be wise to include in agreements that if the U.S. business receives a national security letter, subpoena, or other demand, it will give such notice to affected Europeans as the U.S. law permits – realizing that when it comes to “national security letters” and the like, that may be “no notice at all” – and agree to comply only to the extent compelled by U.S. law.
Whether this will be enough to satisfy European privacy advocates — and avoid a Schrems III — is To Be Determined.
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.