One of the world’s most important international data transfer mechanisms was under scrutiny this year in a landmark ruling at the European Court of Justice (ECJ) in the Data Protection Commissioner v Facebook Ireland and Maximillian Schrems – or Schrems II – case. At stake was the validity of Standard Contractual Clauses (SCCs), a legal tool used to transfer data from Europe to over 180 countries around the world.
On July 16, SCCs were upheld by the Court; however, the ECJ struck down the EU-US Privacy Shield Framework, the main tool used to transfer data across the Atlantic, over concerns about US surveillance practices. The decision impacted more than five thousand European and American companies—more than 70 percent of which are SMEs—that had relied on the Privacy Shield to run essential business operations, including human resources functions. This was the second time in five years that the highest court of the EU annulled a transatlantic data transfer mechanism, after striking down the Safe Harbor Privacy Principles (the predecessor to the Privacy Shield) in 2015 over similar concerns.
As the EU and the US engage in discussions toward developing a potential successor to the Privacy Shield, the Schrems II case has highlighted the need for the convergence of privacy rules globally.
The Importance of Data
Data is being dubbed the new gold. What makes gold valuable is its scarcity, but data is found in abundance. It is being created, stored, processed, transferred, erased, and updated at dizzying volumes every second of every day. The volume of data being created globally is expected to grow from 33 zettabytes in 2018 to about 175 zettabytes by 2025. To put this in perspective: one zettabyte amounts to roughly one trillion gigabytes. If 175 zettabytes were recorded onto DVDs and these DVDs were stacked, the tower this would create would cover the distance from the Earth to the moon 23 times.
Data will be a defining feature of this decade, and it has already proven an indispensable tool to managing the Covid-19 crisis.
Data-driven technologies are enabling governments to function, businesses to operate, and families to remain in contact. Whether it’s collaborating remotely for work, accessing legal web streaming services, connecting to virtual education platforms, making online purchases, or receiving telehealth advice—all these tools and services rely not just on data, but the ability of data to flow, often across borders. For governments, businesses, and citizens alike, the protection of that data is paramount, especially when personal data involved.
In the EU, privacy and data protection are fundamental rights. According to EU law, it is imperative that the rights, obligations, and protections afforded to personal data in Europe are maintained as any personal data is transferred to other jurisdictions, which was the heart of the matter in the Schrems II case.
Defining Personal and Non-Personal Data
The increasingly globalized and digitalized nature of our societies and economies make the convergence of privacy and data protection laws more important than ever. Yet reaching convergence globally is also becoming more complex.
To start, most privacy laws around the world have different interpretations of what constitutes personal data. While legal definitions of personal data are more or less explicit, their scope can and have been extended by practice and jurisprudence in different ways, leading to companies juggling almost as many definitions and interpretations as there are jurisdictions.
Moreover, there are almost no proper definitions of what is considered non-personal data. India is currently drafting a non-personal data governance framework; and the EU defines non-personal data in reverse—that is, what is not personal data. While privacy laws will reflect cultural and regional contexts, even slight nuances in a definition may have broader legal implications as data moves across borders, especially when privacy legislation itself is fairly new in many jurisdictions.
In addition, the EU requires that personal data cannot leave the European Economic Area (EEA)—which includes all EU member states plus Iceland, Lichtenstein, and Norway—unless the entity sending the data, whether it’s a government, business, or any other organization, uses an approved transfer mechanism found in the General Data Protection Regulation (GDPR). There are not many possibilities in practice.
European Data Transfer Mechanisms
Currently, personal data can be transferred from the EEA to a third country through: a determination by the European Commission that the other country’s privacy protections are “adequate;” a set of Binding Corporate Rules (BCRs); or Commission-approved commitments to be inserted in contracts, such as SCCs.
Most of the EU’s trading partners have not yet been assessed or deemed adequate by the European Commission. The adequacy process is long and burdensome, during which the Commission assesses whether a country outside the EEA offers an adequate level of data protection (including with regard to law enforcement and national security rules and practices), therefore allowing personal data to be transferred to that country without requiring further safeguards.
To date, the Commission has recognized twelve countries as adequate and is currently conducting adequacy talks with two other nations. And two recent adequacy decisions with the United States—the “Safe Harbor” agreement in October 2015 and the EU-US Privacy Shield earlier this year—were annulled by the CJEU, mainly due to concerns over US surveillance practices.
BCRs are a valid but cumbersome data transfer mechanism. These rules apply solely to intra-company transfers and, to date, only some 130 multinationals have received approval for their BCRs.
All other personal data transfers depend on SCCs, which enable businesses, governments, and organizations to send data from the EU to over 180 countries around the world, including Australia, Singapore, China, Brazil, India, and Mexico. SCCs are therefore indispensable to the ability of European and European-based entities to participate in today’s global, data-driven economy.
In practice, larger companies will rely on one or more of these mechanisms for transferring data, using the tool most tailored to their business needs and to the specific data transfer(s) at hand. However, many SMEs and small organizations do not have sufficient legal and financial resources for multiple data transfer tools; they will principally rely only on one mechanism, mostly likely SCCs.
In its July 2020 decision, the ECJ upheld the SCCs as a valid data transfer mechanism. But the Court required entities using SCCs (that is, companies exporting data from Europe and companies importing data in the third country) to verify, on a case-by-case basis, whether the personal data can be provided the required privacy protection in the country where the data is transferred. This puts a tremendous burden on individual businesses. It amounts to companies undertaking “mini-adequacy decisions” for every one of the transfer agreements needed to conduct their business. In many cases, this amount to hundreds or even thousands of contracts.
The Case for Global Convergence of Privacy Rules
This requirement will make data transfers more complicated at a time when the digital transformation, further spurred by the Covid-19 crisis, increasingly requires data to flow around the world safely and responsibly, but also seamlessly. New and emerging technologies are requiring this.
For example, many of the digital tools being developed and used today by companies and individuals alike rely on Artificial Intelligence (AI). AI is a data-driven technology that augments human intelligence, helping people make better-informed decisions by identifying relationships, patterns, and trends in data faster than ever before.
AI is not a new technology, but advances in the availability of computing power, highly sophisticated algorithms, and data have recently accelerated its use in all fields of human activity. AI solutions are already leading to improvements in many fields, including the legal sphere; for example, to support legal research or streamline contract review.
Data transfers are integral to every stage of the AI life cycle, from the development of predictive models to the deployment and use of AI systems.
Depending on the application, the data used in AI systems often originates from many geographically dispersed sources, making it imperative that data move freely across borders. The nature of the data is also relevant: the more personal data there is, the more complex it becomes to ensure that the data sets can be transferred from one or several regions of the world to others.
To keep the data flowing, global convergence of privacy rules and discipline on data flows is needed. The more divergences that exist between privacy laws or frameworks, the more difficult data flows become. And if data does not flow, many digital tools and services now considered routine may no longer be available, at least not in their current form.
There are some ongoing regional efforts to reach privacy convergence and the Convention 108 of the Council of Europe is one example. But such efforts need to be broadened to include other like-minded countries across the globe and be sped up.
Integral to the discussion is agreeing acceptable government access to data and national security practices. The recent tensions surrounding international data transfers have been less about the misuse or mismanagement of personal data by companies than about the level of access that democratically elected governments should or should not have to the personal data of citizens in the conduit of legitimate public policy objectives, in particular criminal investigations and national security protection. A starting point could be for like-minded governments to agree on and commit to a set of principles and best practices for access to digital evidence and on appropriate levels of independent judiciary oversight.
Policymakers will have to solve the difficult equation of how to adequately balance three fundamental elements: privacy, national security, and economic growth.
These are issues that can only be solved by governments and agreed in the context of bilateral or multilateral discussions. Much is at stake, and policymakers will have to solve the difficult equation of how to adequately balance three fundamental elements: privacy, national security, and economic growth.