The Wall Street Journal reported Sept. 9 that Ireland’s Data Protection Commissioner issued a preliminary order that Facebook must stop transferring user data to the U.S. The order, which was reported based on anonymous sources “according to people familiar with the matter,” follows the Court of Justice of the European Union’s ruling on the Schrems v. DPC case in July, in which the court struck down the Privacy Shield agreement between the EU and U.S. citing problems with U.S. surveillance policies, as well as a lack of effective remedies for EU data subjects as required under the EU General Data Protection Regulation.

While the DPC’s preliminary order on its face looks like it could wildly disrupt data transfers for myriad companies like Facebook who rely on legal data transfers from the EU to the U.S. to conduct business, some say the ruling doesn’t deserve the visceral reaction Wednesday’s headline seemed to illicit.

It’s understandable that privacy professionals whose companies rely on EU-U.S. data transfers might take the DPC’s preliminary order as an indication they should immediately forego all sleep and feeding times to seek a more stable operational solution. But that’s not the right takeaway, privacy experts told The Privacy Advisor.

Instead, the basic reaction from folks with corporate client interests in mind: What did you expect?

“This feels like one of those situations where you want to tell everyone in the room to take a moment, calm down, and think about the consequences of their actions,” said Fieldfisher’s Phillip Lee, CIPP/E, CIPM, FIP. “Right now, much of the world has been watching and waiting to see what action the supervisory authorities will take in the wake of the ‘Schrems II’ ruling.  Pending any enforcement, transfers are — albeit with more friction — largely continuing on a ‘business-as-normal’ basis.”

Now, Lee concedes, that could change if DPAs start to drop penalties left and right based on data transfers’ legality given the Privacy Shield’s demise. 

In that case, “the consequences could be seismic,” he said. “Businesses will be trapped between a rock and a hard place — told they mustn’t export data unlawfully on the one hand, without having any meaningful regulatory solutions to enable lawful transfers on the other. In effect, it would be shutting U.S. companies, and wider international businesses, out of the EU market. How can any business operate in an internet world without data transfers? A Fortress Europe mentality is not what we need right now.” 

Mirriam Wugmeister of Morrison & Foerster agrees with Lee’s “take a deep breath” assessment. That’s because, she said, the CJEU’s ruling was pretty clear that EU companies need to start looking at the surveillance practices of third-party countries they’re aiming to send the data, and the DPC’s order maps to that.

“I’m not shocked by this” decision, she said, “I don’t know this means that DPAs all around Europe are all of a sudden going to start investigating companies and stop their data flows. I don’t think those two things follow from each other.”

Christopher Kuner, professor at the Brussels Privacy Hub and senior counsel at Wilson Sonsini Goodrich & Rosati, agrees with his non-plussed peers.

“This action by the Irish DPC seems to be the logical consequence of the ‘Schrems II’ judgment since it was inevitable that the DPC would take enforcement action against Facebook following the judgment,” he said. “I don’t think that privacy professionals should panic, since the case is specific to Facebook, and it will take some time before appeals are exhausted.”

Wugmeister said the real conundrum for companies here — and one that’s being overlooked — is twofold. First, the CJEU is telling companies, bolstered by the Irish DPC’s order, that they must put supplemental measures in place to ensure data transferred by mechanisms still legal, like standard contractual clauses, is adequately protected.

“Where’s the quick list of the supplemental measures?” she asked. “Crickets, right? There are real crickets. I definitely think companies should be evaluating how the two U.S. regimes’ Executive Orders apply to them, and you need to be looking at other countries. That’s what the court said. What are the surveillance laws of the other countries where you’re trying to send data outside of Europe?”

She said doing that is a “phenomenally difficult” task to ask of small- or medium-sized companies in the EU. And she’d know because she’s doing that grunt work on behalf of clients.

“If you’re a European medium-size company and you share information with your service provider in India, how are you, a little French company, supposed to do an evaluation of the surveillance laws outside the EU? With what resources? It took the (CJEU) three years to do that just with the U.S,” and that was only because of the Snowden revelations, she said. What of countries who haven’t had massive surreptitious reveals?

Wugmeister added that, second, while reactions to the CJEU ruling have started conversations like “what’s a company to do?” the real pressure should be on governments on both sides of the Atlantic to come up with a political solution.

“To be totally candid, I think this is the part that’s kind of unfair about the (CJEU) decision. The (CJEU) basically said, ‘The real problem here is not the agreement between companies; the real problem is with the government, it’s the surveillance.’ But because the court has no jurisdiction over intelligence services, even in Europe, they didn’t say, ‘OK, intelligence services, you need to change what you’re doing.’ They put all the burden on the companies. How are the companies going to influence the intelligence services in the U.S. and Europe?”

Kuner doesn’t totally agree with Wugmeister’s assessment here.

“I don’t think fairness…

Read The Full Article

Check Also

IAB Europe’s advertising bidding model uses personal data, EU court rules

After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case…