THE NINE SIMPLE REASONS WHY GLOBAL DATA PRIVACY LAW IS SO COMPLEX

Paul M. Robertson, Esq. and Melanie J. McCauley, Esq.

For a number of reasons, transferring electronic data across borders in compliance with data privacy law has become increasingly challenging during the last decade.?

First, restrictions are not uniform from one jurisdiction to the next.?No one-size-fits-all approach can be applied globally.?

Second, the statutes, case law, and regulations themselves are often prolix, opaque, and jargon filled.?They are a challenge to interpret for the skilled privacy expert.?For the lay reader, they can be indecipherable.

Third, enforcement is often unpredictable and inconsistent.?Punishments can vary greatly between countries, industries, and data type.?

Fourth, there are unresolved tensions between and among sovereign entities.?One such struggle exists between the U.S. and the European Union.?These trading partners seek to strike a balance between, on the one hand, protecting the privacy of their citizens’ data against surveillance by foreign governments and, on the other hand, allowing the free flow of information between and among businesses, consumers, and individuals necessary for the promotion of commerce and social discourse.

Fifth, even within these jurisdictions themselves, such as the EU, there are differences in perspective and unresolved tensions among the various governing bodies.?For example, the executive branch, the European Commission, has repeatedly created transfer tools with bold-sounding names like “Safe Harbor” and “Privacy Shield.” ?Data users seeking to comply with their obligations are lulled into a false sense of security by these tools.?The EU’s judicial branch, the Court of Justice of the European Union (the “CJEU”), however, has as repeatedly disagreed, ruling these “harbors” and “shields” to be noncompliant with basic privacy protections.?

Sixth, there is a fundamental incompatibility between the commercial interests of free-flowing, expansive, and unfettered collection and use of personal data and the personal interests of limiting the scope such uses to protect personal privacy.?These forces push in the exact opposite directions.?

Seventh, data uses are expanding and morphing at exponential rates.?A solution that may appear to work for one particular company in one particular area on one day – say, for example, a bank conducting an internal investigation that just happens to cross borders – may not work for the that same company in a different setting on another day – say, for example, that same bank transferring protected customer information across the same borders for marketing purposes.?

Eighth, the increasing complexity and burden of data privacy laws are making compliance by all but the largest conglomerates cost prohibitive.?Economical solutions for small and mid-cap shops can be hard to come by.

Ninth, and finally, compliance with data privacy law takes considerable time and expense.?Settling upon a compliant transfer mode that the relevant authorities appear to have approved is no mean feat.?Time and again, the law changes after the work is done.?The goalposts get moved before the dust has settled, sending data professionals back to the drawing board.?This is good for the business of privacy professionals, but not so good for everyone else.?The impact of the CJEU’s 2015 Schrems I and 2020 Schrems II decisions are cases in point.?

This diminishing level of regulatory certainty coincides with an explosion of the volume and type of personal information being collected, the extent to which it is shared and distributed, and the use to which it is put.?And with the growth of several concentrated Internet commerce and social networking behemoths, individuals and companies that do not regularly transmit personal data across regulatory borders are becoming the exception to the rule.?In other words, all of us, big business, small business, and individual users, risk the consequences if we do not attain a working knowledge of data privacy rules.?

With that knowledge must come an understanding of the tools and methods available to protect the relevant rights and comply with the controlling obligations. ?Accepting that there is no perfect solution, there is, on the other hand, a strong likelihood that an imperfect one will be arrived at unless a thoughtful and systematic approach to data privacy is taken.?There are best practices.?

Over the next several weeks, we’ll consider the impact that these opposing, and sometimes conflicting, influences and interests have on those who use and transfer data across borders.?The data privacy practitioner will, in the end, be left with an outline for a systematic approach to data privacy transfers across borders, and suggested best practices.?Stay tuned!?

Reproduced with permission from Bloomberg Law, Privacy and Data Security Practice Portfolio Series, Chapter II: Cross-Border Data Transfers, by Paul M. Robertson, Esq., and Melanie J. McCauley, Esq., ? 2022 by The Bureau of National Affairs, Inc. (800-372-1033).?