Tag Archives: Privacy Shield

Section 702 Renewal Could Have Huge Negative Impact on Business

As I said in an earlier post, after 9-11 Congress passed some major new surveillance laws.  The idea was to increase surveillance in a move to try and find more terrorists.  Congress also wasn’t completely sold on the idea, so the law sunsets every few years and Congress has to renew it.  This is one of those renewal years.

But there is a wrinkle.  Congress is still not sold on the idea.  The law was set to expire at the end of December and rather than allowing it to lapse while they were on vacation, Congress renewed the law prior to leaving town.  Renewed that is, for four weeks.  The law is set to expire, again, next week.

There are several bills in various stages of approval that range from a permanent renewal with no restrictions to a limited renewal with restrictions.

Apparently one of the sticking points is something called “About” collection.  This was abandoned last year, but some of the bills in Congress now reincarnate it.  About collection, some say, is a back door to allow the FBI via the NSA to collect information ABOUT Americans without a warrant, using some slight of hand saying the information was collected incidental to someone or some thing they were interested ABOUT.

Congress has 9 days to either figure it out or kick the can down the road.  Again.

But here is the negative business impact.

For U.S. companies that do business in Europe, many of them, especially smaller ones, need to be able to bring that data back to the United States.  Due to Europe’s much stricter privacy laws, they can’t do this unless the agree to offer E.U. citizens the same protections that they would get in Europe.  Enter Privacy Shield, son of Safe Harbor.  Privacy shield is an agreement between the U.S. government and the E.U. government regarding what we will and will not do with respect to protecting E.U. citizen’s privacy.  About 2.400 U.S. companies currently follow the Privacy Shield agreement and more are in process.

But the E.U. lawmakers are not very fond of Section 702.  In fact, they have said so publicly.  In fact, they have threatened to go to E.U. court to have Privacy Shield declared null and void.

And that is exactly what will likely happen (and did happen to Safe Harbor) if the U.S. extends Section 702 as is.

I am not clear that some U.S. Senators and Congresspeople understand that;  they would much rather deal in crisis.

So here is one possible outcome.  Congress renews Section 702 with no reforms, the E.U. goes to court and gets Privacy Shield declared unconstitutional and American businesses get to scramble to figure out how to continue to do business in Europe.  This is worth billions to U.S. businesses.

It probably won’t be that bad.  The court will probably give the U.S. 6-12 months to figure out a solution.  Then bureaucrats in the U.S. and E.U. will need to try and figure out how to deal with it and Congress may have to amend Section 702.

Alternatively, Congress could be proactive.  Not. Counting. On, That.

If you sell into Europe, you might want to contact your Congress-critters.

Otherwise, get some popcorn and watch the fun.

Information for this post came from The Hill.

Facebooktwitterredditlinkedinmailby feather

Max Schrems’ Fight With Facebook – Next Chapter

Some of you probably remember when then Austrian law student Max Schrems started fighting a battle over privacy with Facebook.

Now probably neither you nor I would want to pick a fight with Facebook’s legal team, but Max, a law STUDENT, said, hey, what the heck.

That battle wound up at the CJEU – The Court of Justice of the European Union.  The CJEU, the equivalent of the U.S. Supreme Court, is the final legal arbiter of EU law.

In October 2015, the CJEU ruled in favor of Max.  Against Facebook.  And against the United States.  Safe Harbor, the agreement negotiated between the EU and the United States 15 years before to protect EU citizens data that was transferred by companies like Facebook from the EU to the US, was flushed down the toilet.

To replace that, the Commerce Department under President Obama negotiated a replacement agreement called Privacy Shield and that has been in force for about a year.

One of the clauses in the Privacy Shield agreement says that it will be reviewed one year after it became effective.

Many people, Schrems included, said that Privacy Shield was just Safe Harbor with a bit of lipstick on it.  Not even a lot of lipstick.

An alternative to Safe Harbor was something called Standard Contract Clauses.  These legal terms were written by the EU and when included in end user agreements VERBATIM, provided pre-approved permission to move data from the EU to the US because these clauses, supposedly, provided EU citizens with protection regarding their data.

Schrems being the thorn in the backside of Facebook that he was decided that these standard contract clauses didn’t really protect his data, so he went to the Irish Data Protection Commissioner and ultimately the Irish High Court and asked them to rule on Standard Contract Clauses.

Well that High Court decision is in and Facebook (and many other US companies that want to be able to move data back and forth between Europe and the US) is not happy.  The Irish High Court agreed to ask the CJEU – the same folks that invalidated Safe Harbor – to rule on Standard Contract Clauses.

While we have no idea what the final ruling will be, Facebook and others, including the US government, have a very different interpretation of a person’s expectations of privacy.  In general, US privacy rules are much looser than EU privacy rules and penalties are almost non-existent.  Under a new law going into effect mid next year called the General Data Protection Regulation (GDPR), Facebook could be fined up to 4% of it’s global annual revenue for a privacy breach.  For Facebook, with revenue of $27 billion last year, that means that they could be fined UP TO a billion dollars.  That is why they are fighting so hard to keep these known rules in place.

The CJEU is the final stop.  There is no appeal from there.  Given that the CJEU ruled against Facebook two years ago, the odds of ruling for Facebook this time are shaky – but we don’t know how it will turn out.

Schrems, on the other hand, is a pretty happy camper.

Stay tuned.  IF the CJEU rules in favor of Schrems, President Trump and the current administration will have to do some interesting dancing.

Alternatively, all data transfer between the EU and the US could be stopped unless the person who’s data it is has EXPLICITLY approved that transfer.  That approval cannot be buried on page 27 of a terms of service agreement that no one reads.

STAY TUNED.  It could get interesting.

Information for this post came from Fortune.

Facebooktwitterredditlinkedinmailby feather

US-EU Agree On New Data Privacy Rules But Hold The Champagne

UPDATE:  EU Commissioner for Justice made statements just before the agreement was approved indicating  that not everyone has signed up for this agreement.  Read Commissioner For Justice Vera Jourova’s comments here.

While the US and EU did not meet their targeted deadline of January 31st for coming up with a a replacement for Safe Harbor, they sort of came close.  But, apparently, there are still a number of hurdles to jump through.

First, the US and the European Commission agreed on February 2nd to a new agreement called Privacy Shield to replace the 15+ year old Safe Harbor Agreement.  However, they don’t have the final say on the agreement.

A next step is to get the Article 29 Working Party to agree to the agreement.  WP29 is a group of all 28 EU Nation’s Data Protection Authorities.  Their approval of this agreement is key to not having another court fight once this rule (if approved) goes into effect.  That is expected to take about 3 months.

Next, the Data Protection Authorities need to agree on what they are going to do in the mean time.  After the court struck down Safe Harbor, they agreed not to enforce the court ruling until January 31st so that the US and EU could come up with a replacement and so that they did not throw the thousands of businesses that used the Safe Harbor Agreement to transfer data between the US and EU into chaos.  That deadline  has passed.  I speculate that they will extend the moratorium, but that is anyone’s guess.

And, there is always the court to contend with.  Max Schrems could always go back to the court and say that this new agreement does not solve the problem.

Finally, the agreement requires the US to do certain things and my understanding is that those would have to happen before the agreement could go into effect.  One requirement that WP29 has already said must happen is that the US must pass a law giving EU residents a right to sue in US court for breaches of any agreement.  A bill to that affect is winding its way through Congress, but has not been passed by both Houses, reconciled or signed by the President.

While the diplomats may have signaled success by agreeing to the terms that they did, getting the 28 Data Protection Authorities to agree that these protections are sufficient is another matter.

While I have not seen the actual agreement, reports are that it calls for:

  • Clear safeguards and transparency obligations on the part of US government access.  I think this could be a challenge.  While the US has given the EU written assurances that data access will be limited, whether the gang of 28 believes the US or not could be key to getting the agreement approved.
  • Stronger obligations for US data importers to protect EU citizens’ data.
  • EU citizens must have effective rights of redress.  This includes requirements for the data importer to set up processes, the Federal Trade Commission to create a process for handling EU citizen complaints – something it has never done – and for the Intelligence Community to set up an independent ombudsman to address complaints of inappropriate access.

Some of these may require Congressional action – or not.  In any case, what is clear is that this is not over yet and US companies should not breathe a sigh of relief.  It is, however, a sign that progress is being made.

Information for this post came from the Data Protection Report.

Facebooktwitterredditlinkedinmailby feather