Sorting Through GDPR: What to Watch After May 25
May 25 is an important day. The shroud of uncertainty surrounding the General Data Protection Regulation implementation this Friday smacks of Y2K thrill. What is in store for us in a post-GDPR world?
First off, no, the GDPR is not the new and improved version of East Germany. It’s the new and improved version of the European Union’s EU-wide ambitious privacy regulations and a perpetuation of classic EU privacy values. It’s a very big deal not just for European companies but also for U.S. companies that do business in Europe.
Over the past few months, Lawfare has attempted to separate the signal from the noise on the subject: Chris Mirasola summarized the regulation; Matthew Kahn wrote about the internet-security impact of GDPR on the Internet Corporation for Assigned Names and Numbers’ WHOIS database; Hayley Evans and I explained the interaction between GDPR and U.K. legislation through the lens of Brexit; Evelyn Douek touched on the role that GDPR plays in the recent Facebook mishigas; and most recently, Ali Cooper-Ponte dug into the complexity introduced by GDPR derogations.
A lot of concerns have been bandied about in anticipation of the regulation’s launch, so I’ve taken the initiative to outline the key national security and data-privacy threads worth tracking after GDPR goes into effect:
The Cloud Act and cross-border access to digital evidence
The Clarifying Lawful Overseas Use of Data Act is a U.S. law (passed as part of the March 2018 omnibus spending bill) that amends the Stored Communications Act to enable U.S. federal law enforcement to make American tech companies provide requested data from their servers, even if the data in question isn’t stored on a server in the U.S. The GDPR, on the other hand, allows for data transfers in compliance with foreign warrants and court orders if they are “based on an international agreement such as a mutual legal assistance treaty.” Jennifer Daskal suggests that transfers may be permissible under two separate GDPR derogations, described in more detail by Cooper-Ponte. That said, an agreement—as opposed to a derogation—presents as the most efficient way to satisfy GDPR requirements and the Cloud Act is not an international agreement in its own right. The need for an EU-U.S. agreement on law enforcement access to digital evidence becomes even more important after May 25.
Adding another layer of complication is the less-discussed EU Law Enforcement Directive (LED), which has been active since May 6. EU directives do not have direct effect; they must be implemented by each EU member state through domestic law. In this case, the LED will be implemented by a variety of domestic laws guiding how investigatory bodies handle personal data in pursuit of law enforcement goals, including in terrorist investigations. For this reason, there may be some interplay between the domestic legislation in each EU state implementing the LED and a Cloud Act transfer.
The Cloud Act allows for executive agreements with foreign governments in order to facilitate evidence transfer, and any agreement will have to take into account the total interplay between EU regulations (GDPR, et al.) and U.S. law enforcement needs. As Daskal and Peter Swire have written, the negotiation of any such agreement will be complex and will require careful legal crafting. Attorney General Jeff Sessions met with EU officials on May 22 to begin this dialogue.
It’s also worth reiterating that the GDPR purports to regulate the “processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union.” In other words, the location of the data is irrelevant. With that in mind, the definition of a transfer and the practical reach of GDPR post-transfer will be particularly important developing concepts.
The Privacy Shield, like its invalidated predecessor “Safe Harbor,” is an agreement between the United States and the EU that affords companies in the U.S. a framework for compliance with EU data-protection requirements when transferring data from the EU to the U.S. There is no reason to believe that GDPR will invalidate Privacy Shield; compliance with the Privacy Shield agreement will require compliance with GDPR when dealing with data subjects in the EU. (Privacy Shield is functionally an adequacy assurance, or an assurance that the U.S. provides an adequate level of protection for that data under Chapter V of the GDPR).
That said, the European Commission made a number of recommendations at Privacy Shield’s last annual review that require substantive changes to the framework. The next review will track progress against those recommendations and also take into consideration levels of compliance at the same time as GDPR is increasing the cost of compliance.
What’s more, GDPR just happens to be coming around at the same time as Maximilian Schrems’ latest assault on EU-U.S. data transfer frameworks. Schrems is a privacy activist who has brought a number of cases against Facebook challenging data handling—it was his litigation that invalidated Safe Harbor in 2015. In this case, the High Court of Ireland recently referred 11 questions to the European Court of Justice (ECJ) regarding the legality of transfers between Facebook’s Irish and U.S. corporate entities. Privacy Shield is one of the central subjects of interrogation in the referred questions, and with the ECJ having invalidated Safe Harbor (you can read more detail on the decision here), it is worth keeping an eye on how GDPR extraterritoriality and Privacy Shield develop in parallel.
While the contours of the regulation (and the astronomical upper-penalty limits) are outlined in the GDPR text, there is a lot of uncertainty about how the regulation will be enforced. First, the regulation itself requires interpretation; its broad language will need to be narrowed and defined through use-cases. But in addition to that, the bodies dealing with early cases may not be prepared to meet their GDPR obligations. A recent Reuters survey of designated European supervisory authorities (each EU state must have at least one) has suggested that many are not prepared for enforcement. The GDPR enforcement regime is made up of a network of authorities from the Data Protection Officers within companies, boiling up to the national Supervisory Authorities, and ultimately the European Data Protection Board. For that reason, enforcement happens at the national or transnational level. Seventeen of the twenty-four national Supervisory Authority respondents to the survey said that they were lacking the necessary funding or “would initially lack the powers” (presumably referring to domestic legal authority) to fulfill duties under the regulation. As late as May 8, Reuters cited the President of France’s Supervisory Authority, the Commission nationale de l’informatique et des libertés, as saying that “We’ve realized that our resources were insufficient to cope with the new missions given by the GDPR.”
Prolonged uncertainty about how the GDPR will be enforced may lead to distortions in the privacy market—who will comply and how? Who will bet against enforcement in order to save on compliance costs? How uniform will GDPR regulations be? What about forum shopping?
The ePrivacy regulation, another developing piece of legislation that will further define the contours of the the EU data privacy landscape, is also worth tracking. Cooper-Ponte discusses it in more depth on her piece on derogations.
National Security Exception
The GDPR does not apply to the “free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security.” Moreover, an EU state may pass a law restricting the scope of obligations and rights presented by GDPR when “such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard ... national security.” This is known as a derogation, meaning that there may be some variability in regulation between EU states. This language regarding national security will no doubt be interpreted closely over the course of GDPR implementation. Those concerned about the potential for countries to abuse GDPR derogations—or the overall direction of EU use of data for national security purposes and its follow-on effects—should pay close attention to these definitions.
The GDPR’s restrictions and rights are reiterations—and, in some cases, expansions—on a number of long-standing EU privacy values. Article 16(1) of the Treaty on the Functioning of the European Union, for example, provides everyone with the right to personal data protection. The right to respect for private and family life is enshrined in Article 8 of the European Convention on Human Rights and Article 7 of the EU Charter of Fundamental Rights. Article 8 of the Charter also clearly articulates a right to the “protection of personal data” with requirements that data be processed “fairly for specified purposes and on the basis of consent of the person concerned or some other legitimate basis laid down by the law” including a right of access and rectification. Finally, the GDPR echos many principles and explicit terms found in the EU directive it will replace: the Data Protection Directive.
So the values that undergird the GDPR certainly aren’t new. But the GDPR does introduce two new dynamics. First, the increasingly global reach of EU law may put it in the position to creating a “Delaware effect” or a “California effect”—the shift of companies and consumers toward or away from jurisdictions with strict regulatory regimes. The GDPR’s extraterritorial reach will encourage some companies to apply GDPR standards (and protections) to all data subjects, spreading GDPR values outside Europe. The EU is a first mover in this space and, as we’ve seen, a big enough market to meaningfully impact the largest companies. It will be important to keep an eye on whether there will be a race to the bottom or a race to the top amongst other jurisdictions.
Second, in addition to internal decisions about how to operate, recent days have seen proposals for U.S. domestic legislation that mirror GDPR principles: The Consent Act, introduced by Sens. Edward Markey and Richard Blumenthal, proposes opt-in consent from consumers when online companies are aiming to sell “sensitive customer proprietary information.” And the bipartisan Social Media Privacy Protection and Consumer Rights Act, introduced by Sens. Amy Klobuchar and John Kennedy, includes a number of other features that will sound familiar to you if you’ve read GDPR: a broad definition of personal data, disclosure about how data is being used, the ability to withdraw consent to terms of service, and the right to access data among other rights. Both bills have breach notification requirements as well, but those have already been implemented by most states.
It’s impossible, and perhaps unuseful, to disaggregate what proportion of these U.S. proposals is in direct response to the scandal over Facebook and Cambridge Analytica or a reflection of the impact of GDPR. That said, the similarities are unmistakable. At this inflection point, the implementation of GDPR might well be the harbinger of something bigger: the beginning of a values creep, if you will, or a consolidation of values across the pond or perhaps conflict between them.
These effects aren’t necessarily bad. There is a lot to be gained by taking two sets of beliefs about privacy rights and navigating compromises between them; hopefully any sweeping U.S. federal legislation concerning data processing will reflect thoughtful deliberation on all options available to the government and all concerns pertinent to the consumer. But, as a colleague of mine recently lamented, there are floating assumptions that the EU may have “won” in this realm. With the increasingly global nature of data, has the EU beaten the U.S. to the regulatory punch? This is a far from settled question. It is still too early to tell if another major world player, such as the U.S. or China, will attempt to create competing standards for data processing and collection. Will there be balkanization as a result, or will the EU win the day and create true global uniformity? It is worth keeping an eye on which global power will set the standards for data privacy and processing over the coming years.
As with any sweeping legal change, there are likely to be a number of unanticipated second- and third-order consequences. While I remain skeptical of those commentators framing GDPR as a revolutionary regulation—the GDPR was approved in 2016 and has always been a reflection of core EU values and its long-standing predecessor, the Data Protection Directive—it seems probable that GDPR enforcement will bring added specificity and change to data protection regimes around the world. After May 25, it’s worth paying attention to both these threads.