Schrems II has led to muddling as the latest data protection strategy. The muddling is over transferring data from Europe to anywhere else in the world. The ultimate problem is that national security agencies, no matter where they are located, can’t and don’t want to be part of binding agreements to assure Europeans have similar protection when their data are processed outside the European Union. So, companies will do the right thing by muddling. They will document that they have not been the subject of bulk data requests. They will document that they have a procedure to deal with such requests if they are received in the future. Depending on the risk of receiving such requests, they will put in place supplemental measures (e.g. store data in Europe, encrypt data when it is in transit, and/or pseudonymize the data when analytics are run on them). They will have privacy policies that disclose that transfers are covered by standard contractual clauses. They will hope it is unlikely that their data transfers will be subject to a regulatory complaint or a suit filed directly with the courts by an NGO.
It is possible the end may be in sight for some of this muddling. The EU Commission and the U.S. Department of Commerce have announced negotiations for a third agreement following Safe Harbor and Privacy Shield, but such an agreement does not cover transfers to the Philippines or Canada. Such an agreement does not address adequacy discussions with the handful of countries that already have an adequacy finding. Furthermore, how can U.S. negotiators plead the case for dynamic data flows when the U.S. bans TikTok and WeChat?
While companies muddle along by doing their best to interpret the data protection tea leaves, limited resources are diverted away from initiatives that could actually improve privacy and protect individuals. In addition, few outside of academia understand the nuanced philosophical debates about constitutions and rights, cementing the unflattering impression that privacy is squishy and silly, not to be taken seriously by executives who operate in the here and now.
The best case for muddle as a strategy is it buys time, and during that time, policymakers will negotiate an agreement that buys additional time. Articles 79 and 80 of the GDPR raise questions about the wisdom of muddle as a strategy. Individuals may go to European courts directly or collectively through NGOs. For example, on August 17, NYOB reported that it had filed 101 complaints related to transfers to the U.S. The IAF is holding a policy call September 14 to discuss collective action in Europe.
An agreement between just the U.S. and Europe isn’t the answer. A U.S.-EU deal doesn’t solve the problem because data flow to many different countries, and national security agencies in those countries will use the data. In the end, companies can’t solve this problem. Yes, they can lobby governments, but it is those governments that must solve the problem, and they have the incentive to do so. Data drive national economies as the digital strategies for the European Union, Canada, Singapore, and almost every country that has an industrial economy show. The IAF’s mission is to encourage data’s use in a way that data serve people as those digital strategies move forward
One of the IAF’s first projects was on government use of private sector data and maintaining an accountability chain. As a member of the advisory panel for the International Conference of Date Protection and Privacy Commissioners (now Global Privacy Assembly) in Morocco, the IAF facilitated a plenary session on this topic. As part of its mission, the IAF will continue agitating for a global agreement. It is only through talks illuminating the proportionality between individuals’ interests in seclusion and autonomy on one hand and their desire to live in secure physical environments in all countries on the other hand that data protection strategies for corporate data transfers go beyond muddle to real probability.