So I’ve been away for a while, but finally got my head around major decision from Europe’s top court last month involving @Facebook, @maxschrems & $$ billions in data sent from EU to US.
Stay with me here, this gets weird, real quick.
<<cue thread>>
Stay with me here, this gets weird, real quick.
<<cue thread>>
FB balked, so did the Irish. It all got sent to court, eventually landing w/ EU's highest judges.
Questions in play: 1) Should Irish regulator stop FB from transferring data to US? 2) Does US sufficiently protecting EU citizens’ data? 3) How should data be moved outside of EU?
Questions in play: 1) Should Irish regulator stop FB from transferring data to US? 2) Does US sufficiently protecting EU citizens’ data? 3) How should data be moved outside of EU?
But the bigger issues are these: Can Europe tell the US how it should handle personal data — particularly when it comes to national security? Should Ireland have final say over how FB moves data (FB’s HQ is in Dublin)? And what about data transfers to, say, China?
Fast-forward to July 16: Europe’s highest court did something pretty momental — it basically said no one (and I mean no one) could move data from the EU to the US because Washington didn’t protect EU citizens’ rights sufficiently
Let’s be clear about this. This is Europe telling its closest ally that the US national security agencies were playing fast and loose w/ people’s data and that without things changing, the data tap — worth hundreds of billions of dollars annually — must be turned off immediately.
I get what you’re thinking. Data transfers? What the hell are those. Well, they are everything from search queries or social media posts to payroll information or health records. Pretty much everything in the 21st century involves a data transfer.
And Europe told the US to stop.
And Europe told the US to stop.
But, w/ everything linked to tech policy, it gets even more complicated. Europe’s top court said the US didn’t protect EU data. But it then said it was up to national #privacy agencies and — initially — to companies themselves to make that assessment for other countries
How will a small, underfunded privacy agency or company decide whether a third-party country like China is upholding EU data protection rights? Well, that’s a very very good question.
Here’s the answer: they can’t.
Here’s the answer: they can’t.
And that’s where we come to the UK. (Gotta get Brexit in here somewhere, amirite?).
The EU Court’s ruling was clear: data transfers MUST be turned off to any third-party country that plays fast and loose w/ EU data.
The EU Court’s ruling was clear: data transfers MUST be turned off to any third-party country that plays fast and loose w/ EU data.
Now, come Jan. 1, the UK is out of EU, for good. It becomes a third-party country — likely w/o an adequacy deal.
And what is UK known for? Data-hungry intelligence agencies (and bad weather, but I digress). Agencies that also like to share data with the US, I might add
And what is UK known for? Data-hungry intelligence agencies (and bad weather, but I digress). Agencies that also like to share data with the US, I might add
So you have a situation where EU court has decreed that third-party countries that misuse EU data must have their data taps turned off from the EU.
Where does that leave the UK w/ its close ties to the US and where politicians have already said they want to go own way on rules?
Where does that leave the UK w/ its close ties to the US and where politicians have already said they want to go own way on rules?
I envisage this: UK won’t get adequacy by end of year, leaving it high and dry on data. But even if it does (it won’t), EU court has already decreed that national #privacy agencies must turn off taps if they believe third-party country is misusing EU data for national security
Cue: Investigatory Powers Act, GCHQ’s data collection and the very very likelihood of Brits sharing some, if not all, of that data w/ the US.
You get where this is going, right? (Hint: 75% of UK transfers, involved $$ billions of annual trade, are with the EU)
You get where this is going, right? (Hint: 75% of UK transfers, involved $$ billions of annual trade, are with the EU)
As for the US? @EU_Commission doesn’t have many more levers to save “Privacy Shield,” a legal fudge to allow EU-US data transfers to continue. The EU court was very clear: US just doesn’t cut the mustard.
@EU_Commission From CJEU "court considers that the law of that third country (US) does not provide for the necessary limitations and safeguards with regard to the interferences authorized by its national legislation and does not ensure effective judicial protection against such interferences."
That basically leaves it to Washington find a solution — and find it now, just when there’s the most polarized election going on in modern history and no one (and I mean no one) wants to think about data transfers.
Options for US: find a way to give EU citizens legal redress over potential US govt abuse of their data.
How can that happen? That’s a tough one b/c it’s not like US spooks go around saying “Hey, Ms EU citizen, I’ve just misused your data"
How can that happen? That’s a tough one b/c it’s not like US spooks go around saying “Hey, Ms EU citizen, I’ve just misused your data"
Then you’ve got the question of the federal govt willing to take orders from Europe, the ongoing trade dispute and how this may play into it, and the UK stuck in the middle trying to get trade deals done with both sides — when both sides want different things.
I can not express how f*ck everyone is on this. Seriously.
1) Citizens — still no real redress on their data potentially being misused.
2) National privacy agencies — given thankless task of assessing national security data collection practices of non-EU countries
1) Citizens — still no real redress on their data potentially being misused.
2) National privacy agencies — given thankless task of assessing national security data collection practices of non-EU countries
3) Companies (ducks to avoid abuse) — tasked also to assess whether they can legally move data from EU to third-party country, with likely lawsuits to follow no matter what decision they make.
4) Govts — trying to square a circle on new rules when there is no workable solution
4) Govts — trying to square a circle on new rules when there is no workable solution
How will this end? Technically, EU-US transfers *should* have stopped on July 16 (Hint: they haven’t).
Legal challenges to that have already been filed, much lawyering will be had.
Legal challenges to that have already been filed, much lawyering will be had.
There will be grace period as people figure out a solution. (There isn’t one, really). But that grace period will eventually end, so you better get used to (cue: favorite internet theme) greater balkanization as data is stored within specific jurisdictions to avoid legal costs
Fun fact — bigger firms (you know who you are, social networks and search giants) *could* rely on <<cue geekiness>> Article 49 of GDPR that allows data transfers to continue under exceptional circumstances, or when ppl consent to such transfers
It’s not supposed to work that way (that Article is supposed to be ad hoc transfers, only). But when things are so f*cked-up, you do what you can, amirite?
So there you go. I’m 6 weeks late to the party, but that’s my sense of where we are. Holler if you disagree or think I’ve missed something.
Rant over. Thoughts appreciated.
PS: Fun fact: after all legal wrangling, it turns out there has been only ONE case (involving Croatian citizen) over lifetime of Privacy Shield sent to US for legal redress b/c of alleged govt data misuse
That case was dismissed b/c alleged abuse happened before PrivacyShield 🤷♂️
That case was dismissed b/c alleged abuse happened before PrivacyShield 🤷♂️
Roh ruh — @dreynders says new data-transfer deal w/ US is not coming soon AND #SchremsII ruling will affect UK adequacy deal (whenever that is coming) 
