Last weekend I found myself in front of the TV screaming ‘Go Max! Go Max!’. It didn’t help. Dutch young F1 driver Max Verstappen couldn’t finish the race a week earlier in Austria due to technical issues, and last weekend also got stuck behind Hamilton’s car in the second race. Nonetheless last weekend, a podium.
There must be something in a name. Or Austria. After three years of rattling cages, Austrian Max(imilian) Schrems – at the time a law student – managed to single-handedly invalidate Safe Harbor as a cross-border transfer agreement between the U.S. and the EU in 2015. Many complain about Facebook for years, few go as far as Max to take it to court the way he did. Where the Edward Snowden revelations around PRISM (and all that followed) in the U.S. lead to concerns about spying on Americans as much as on foreigners, Max took the same revelations to argue that Facebook actively enabled mass surveillance outside the U.S., notably in the EU. Though courts were afraid to burn their fingers on it, Max took it to the European Court of Justice that decided ultimately Safe Harbor did not provide adequate protection.
Many of Gartner’s clients hurried to the phone and asked ‘what now?’ We advised to not panic, and were expecting a replacement agreement within a few years. Meanwhile, especially for those with low risk appetite, we advised to move towards more assurance by relying on BCRs (for intra-organizational transfers) and SCCs (extra-organizational transfers). At least for transfers to and from countries that did not have an adequacy standing with the European Commission. Confusingly, on the EC’s website the U.S. is mentioned in the list as well, though only through merit of Safe Harbor’s successor; Privacy Shield.
The Privacy Shield has been under heavy scrutiny from its inception onward. Externally and even internally there were concerns. Still based entirely on self-certification, and though the FTC oversees enforcement and sanctions false promises, it was doomed to fall at some point. Yes, over 2,500 organizations self-certified for it within 1.5 years. Futile, as it turns out, as the curtains have once again fallen for the Shield in the case known as ‘Schrems II‘. Note this is NOT (only) about Facebook. It is at the core about what is needed for the EU and the U.S. to establish sufficient mutual trust in how (well) personal data is protected once it is processed across the Atlantic.
What Does This All Mean?
Well, I’d like to say that our advice of 2015 would be repeatedly sound, but there are changes. I don’t expect a replacement any time soon. The gentleman’s agreement between EU and the U.S. can only be changed and still trusted so many times. From a U.S. perspective, there seems to be little to no concern where data actually resides. From an EU perspective though, I can only stress the need for alternatives available. Standard Contractual Clauses after all, though challenged in the same Schrems II case, are in the ruling re-confirmed for validity. They don’t cover everything. Transfers of personal data within an (international) organization are better covered by Binding Corporate Rules. Since it takes on average at least 8-10 months to establish BCRs, you should get into the race as soon as possible. The requirements under both SCCs and BCRs are more strict than that of Privacy Shield. As such, they do lead to enhanced control over personal data in general. And privacy, after all, is about controlling the data correct.
Long live privacy.