“I told you so,” I said.
The EU court has now ruled for the second time in the case of Max Schrems versus Facebook. Spoiler alert: the EU economy lost. While the debate amongst the lawyers and pundits will go on for some time, the outcome is that countries must now weigh their national security against digital-trade with the EU. The implications for developers in both the U.S. and EU is that soon any transfer of GDPR data across the Atlantic will technically be prohibited. That’s the point where GDPR ceases to matter outside the EU.
GDPR requires that you ensure that an EU citizen’s data rights aren’t degraded when you take their data out of the EU (ignoring the metaphysics of what passport an EU electron actually carries). Yes, I’m generalizing so that this is understandable to non-lawyers, so don’t sue me. Following the Snowden “revelations” (remember him?!), Max S. took GDPR at its word and sued Facebook, eventually arguing that the company might have handed his information to the U.S. National Security Agency (NSA) without his permission or knowledge, AND with no legal resource to prevent it or even determine whether it had happened. The U.S. took steps and, in concert with EU regulators, put in place “Privacy Shield” (the mechanism that allowed companies to move data out of the EU under GDPR) to address as much of this as they could. But in the end, surveillance happens. The EU court ruled last week that Max is right in terms of what GDPR promised. The end result is that there will soon be (or already is — more later) no way to move data linked to an EU citizen out of the EU.
Following the Schrems II decision, companies outside Europe that are trying to follow GDPR have few options:
- they can ignore EU law and pretend this didn’t happen,
- they can change their country’s national security law to ban surveillance, or
- they can house all EU data in Europe with European companies (until the courts inevitably rule that’s illegal too — you heard it here).
I predict: 4) ignore the imposition of EU law outside the EU, wait until someone gets fined, then watch the EU thrash as trade comes to a grinding halt, digital companies abandon the market in panic, and political upheaval spikes. It’s not clear the European Commission had this (inevitable) outcome in mind when they celebrated their extraterritorial privacy law.
You probably think I’m being alarmist — or at least hyperbolic. Go ask your lawyer what a U.S. company should do now that Privacy Shield has been ruled invalid. They’ll likely say “use standard contractual clauses”, a window the EU courts left open just a crack when they ruled on the Schrems II case. Then ask them if that will prevent you from having to pay multi-million Euro fines for breaching GDPR, and they’ll nervously say “that depends…”. What it depends on is whether you can enforce a clause that prohibits your government from accessing any EU data you have — even for national security purposes. Put another way, in addition to all the excellent privacy stuff, GDPR requires you to keep EU data out of the hands of people like the NSA (good luck storming the castle!).
The immediate impact is that any promises under Privacy Shield are insufficient (EXPERT TIP: if you promised the U.S. Federal Trade Commission you’d do stuff per Privacy Shield, that’s still binding!). The fallback are these “standard contractual clauses”, where each company writes its own contracts binding itself, and the third parties it uses to handle EU data, to follow GDPR. Unfortunately, one of the promises you’ll need to make (see above) is that no one will give EU data to a foreign government. Somewhere down the line (tomorrow) Max S. will call you on that. Fines to follow. Insert parade of horribles here.
So what should your company do to keep operating today?
I think most firms, and most lawyers, will stay the course but stop referring to Privacy Shield and refer instead to the standard contractual clauses, in lip service to the EU court. In short order I predict these too will be ruled invalid, so if you’re smart you’re also looking forward. Tomorrow’s decision will be: cut the cord between domestic and EU operations (no HR data moving, no user data, only EU service firms — complete separation) and march on, or abandon the EU market. Lobbying for son-of-Privacy-Shield is a waste of effort (sorry AmCham), but perhaps ratcheting up the war on digital protectionism today will encourage a swifter reckoning in Brussels.
GDPR was a good idea turned into disaster through overreach. Now that GDPR compliance is essentially impossible from outside the EU, what is its global relevance? I have warned since its inception that GDPR’s extraterritorial reach was less a brilliant idea, and more of a fatal one. The EU is marching towards the same cliff on platform regulation, digital taxation, and a number of tech issues. At some point, policy makers must come to grips with the fact that, despite its borderless nature, states must maintain logical borders inside the internet — if only to define who has jurisdiction.
GDPR was the catalyst that got the world thinking hard about privacy. It’s now time to tear it down and replace it with something that stops at the EU borders; to do less risks complete digital isolation. In the meantime, the Commission’s attempt to force European values on the rest of the world is crashing to earth alongside Icarus’ wings.