I wrote this article for BEERG‘s weekly newsletter on Sept 23rd. The Newsletter goes to approx 1,000 senior HR professional across the EU and US.
I have been deeply involved in monitoring the development of the data privacy and protection issue since first working on the early legislative passage of the General Data Protection Regulation through the European Parliament and Council. This article features a link to an article I wrote for the EurActiv news-site in late 2012 on the complexity of GDPR’s employee data provisions.
I have added some extra paragraphs in this version that are pertinent to the Irish domestic situation and – not for the first time – I finish an article with my favourite LBJ saying/quote
This was the week when the stark reality of the Schrems II judgement became clear. When the rubber hit the road.
In last week’s BEERG Newsletter I portentously observed that the already complex position around Standard Contractual Clauses (SCCs) and other methods of transferring personal data to the US was about to become more complex. Little did we realise how quickly that would happen.
The Irish Data Protection Commission made a preliminary move to halt Facebook’s use of SCCs to cover the transfer of data from the EU to the US. Facebook has some 400m+ user in Europe. Facebook went to court.
Within days, the text of Facebook’s affidavit to the Irish High Court appeared online. Its contents fueled headline speculation in respected broadsheet newspapers and reputable media outlets that Facebook was threatening to quit the EU unless its concerns were addressed.
Facebook has since denied the affidavit filed amounted to a threat to quit. “Facebook is not threatening to withdraw from Europe” its spokesperson made clear, saying that the affidavit it filed against the Irish Data Protection Commission (DPC) was merely a simple reflection of reality, adding:
“Legal documents filed with the Irish high court set out the simple reality that Facebook, and many other businesses, organisations and services, rely on data transfers between the EU and the US in order to operate their services. A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from Covid-19.”
Facebook is correct. It calls out the economic consequences of Schrems II.
It is an argument that almost any company could make, but most would probably choose not to make it in such a confrontational style. They would probably not cite under-resourcing of the office of the regulator as grounds for the Courts to intervene and nullify the regulators preliminary order.
You would almost have to admire their brazen chutzpah in now claiming the DPC is too understaffed* to conduct a fair investigation when this very under resourcing has been to Facebook’s advantage for years. (* at point iv of its “factual grounds for challenge” Facebook cites: “Conducting of the entire investigation and adjudicative process by a single person and / or the involvement of that person in the entire process”). There is a sole commissioner in the DPC, but several deputy commissioners.
The under resourcing of the Data Protection Commission was raised by Senator Malcolm Byrne in Seanad Éireann (Irish Senate) this week. Responding, the Minister of State for Justice, James Browne TD said:
That increase in budgetary provision further demonstrates the Government’s continuing commitment to meeting the funding requirements of the Irish data protection authority and the importance of a strong regulatory data protection framework to underpin the continuing growth and expansion of Ireland’s digital economy. The Data Protection Commission currently has 147 staff but this will increase to 180 by the end of this year, which is another significant increase in the number of staff provided to the Data Protection Commission.
This is progress, but it shows that the Irish government still fails to grasp the scale of the regulatory work the DPC undertakes. In effect, the DPC is the EU data regulator when it comes to the big social media giants given how many of them have the EU operations head quartered in Ireland.
Even the fact that the Irish government no longer has a minister/minister of state with specific responsibility for data protection shows that it does does not get it, never mind the extent to which it neglects the real and costly cyber security threats the country faces. An issue I have highlighted several times, including HERE and HERE.
The most recent Schrems II decision from the European Court of Justice CJEU did not write new law, it interpreted existing laws. These laws have been there for years. The ruling, which ultimately stems from a legal battle between Facebook and the Irish the DPC, has now placed the use of SCCs into a problem area.
So, once again, data transfers between Europe and the US are in a state of confusion. Once again, a legal battle that has been slowly making its way back and forth through the courts in Ireland, though not exclusively, and in Brussels, has left business with more questions than answers. And, once again, the argument is being conducted as if this was only a concern for IT and Social Media behemoths such as Facebook.
We have been here before. Without a doubt a great deal of the legitimate and serious concerns that Facebook has are also felt by many hundreds and thousands of other companies trying to conduct business and requiring regular and secure data transfer process across the Atlantic.
We saw this, first hand, during the initial discussions about the GDPR in 2012 and 2013. Back then the issue of data protection and data privacy was debated and discussed across the EU institutions as if it were a matter that concerned IT giants and social media platforms alone. All too often the issue was seen solely through that prism, to the detriment of the vast majority of companies.
As BEERG members know only too well the difficulties there were in trying to get policy makers to grasp that data privacy and data transfers were issues that affected and impacted almost all companies and that for the vast majority of companies across the EU, the biggest data base they held and operated was their employee database.
We got the message across to some in Brussels. We succeeded in securing changes – but we see, in retrospect, that they were not enough.
To safeguard transfers to the US, there first was Safe Harbour, but that system collapsed upon inspection. Then we had Privacy Shield. It too has failed the test. To add to the general sense of uncertainty, the EU Commissioner with responsibility for data privacy, Didier Reynders (photo), told members of the European Parliament three weeks ago that “there will be no quick fix” as the political nature of the issue would likely hamper progress on a replacement.
This is code for do not expect any progress before the presidential election… or, even for a few months after that, depending on the outcome. In essence, the European Union is asking the United States to make legislative changes to its surveillance laws aligning them with European expectations of privacy.
It is no small ask. The response will be dictated by the political complexion of both the White House and Congress, but it is the key to unlocking this problem in a sustainable and workable manner.
The one small hint of hope from the Commissioner at that meeting with MEPS was his signal that he hoped to have a first draft of the Commission’s plan for “modernized” SCCs later this month.
The EU Commission says that modernized SCCs should be expanded to deal with various data transfers circumstances not currently covered including transfers of data between an EU data processor and a non-EU data processor and allowing multiple parties to sign SCCs and allow the accession of new parties.
The Commission hopes it will be able to finalize the updated SCCs by the end of 2020. It is awaiting the input of the European Data Protect Board (EDPB) on some key aspects, the EPDB is expected set out its position at its upcoming board meetings, either in October or November.
Securing progress on SCCs in the short term is crucial to the continuation of EU/US data transfers. Getting EU/US inter-governmental movement (and in reality we are talking about movement on the US side) on US surveillance laws and their application to the data of EU citizens is vital for the medium to long term survival of EU/US data transfers.
Just how these half-hearted Facebook threats to quit help to deliver these twin strategic goals is beyond us, though they perhaps offer an insight into how Facebook’s current public affairs boss managed to almost wipe the UK party he once led off the electoral map.
As LBJ famously advised: never tell a man to go to Hell, unless you can send him there.