GDPR, Schrems 2 and the rule of law

In a recent post (ICO fines Cabinet Office ￡500,000) I wrote how cheering it was to see the rule of law implemented. This post is also about the GDPR, but this time it’s about the rule of law (ROL) not being implemented. ?

?ROL is kind of synonymous with democracy and therefore is A Good Thing. The ROL breaks down when there is no democracy (ie. dictatorships), and when governmental agencies run out of control. Schrems 2 has provided another instance of ROL breakdown: it’s when legislators pass laws that are not practical.

?The story so far: in 2020, in the Schrems 2 case, the EU supreme court struck down the Privacy Shield which had provided legal cover to EU companies exporting personal data to the US (that means just about any company that uses cloud services). The result of Schrems 2 was that companies exporting personal data to the US now had to use the Standard Contractual Clauses to provide legal cover, and the SCCs had to be supplemented by additional measures (encryption, pseudonymisation) so that overall result ?achieved ROL protection.

?For those companies exporting data to the US (error… again, just about every company using cloud services), the problem was the EU’s supreme court had already decided that the US data protection regime for non-US citizens did not comply with normal ROL (the US constitution runs a two-tier regime: US citizens and US residents get ROL, everyone else doesn’t: that’s the basis behind Guantanamo amongst other things), and therefore did not comply with the GDPR.

?In response, the US companies (Google etc) adopted lots of additional measures that were intended to make up for the lack of protection afforded by the US to EU citizens. This was always going to be a bit problematic: it’s a bit like saying that, because I have lots of locks on my doors and windows and the police will find it hard to get into my house, I’ve got ROL protection in relation to my house. It’s not: ROL means you don’t need locks, and the police won’t go in unless they have a search warrant issued by a court.

?Because the Schrems 2 judgement was so huge, and because the big US tech companies are unavoidable trading partners for most companies in the EU, business has carried on mainly as usual and Schrems 2 has been largely ignored. Ie. no ROL for this particular issue.

?You can’t blame the judges: they were just applying the law. But you can blame the legislators because they were too quick to pass a law which looked great in theory but which was impossible to get to work in practice. But whichever way you look at it, it’s not great. We have an important law adopted by a number of democracies, but we are all ignoring it because we can’t get it to work.

?However, it looks like the first cracks are starting to appear.?The Austrian data protection regulator has recently upheld a complaint against an Austrian site that used Google Analytics: the Austrian site (NetDoktor) had, by using Google Analytics, exported data to the US. GA sends the data – which consisted of personal identifiers based on cookies (and which was according to the regulator, still personal data despite the GA anonymisation mechanism) back to the US for processing. Google had adopted additional measures to protect the data – including encryption – but these, according to the Austrian regulator, were not sufficient because the US authorities are entitled to force Google to hand over the cryptographic key.

?The Austrian decision will not change anything on its own, but as other regulators reach the same decision, momentum will build and something will have to give. Whether that is the US changing its laws, the EU changing its laws, or the US companies keeping the data within the EEA, time will tell.

?Meanwhile, if you are an SME using a US-based provider, the best thing to do is stay invisible in the herd whilst keeping an eye out for developments.

?

?