U.S. White Paper on 'Schrems II': Emperor still clothed

A new U.S. white paper on data protection means favorably to supplement the record on U.S. surveillance practices that, in part, fueled the European Court of Justice (ECJ) decision in "Schrems II," in July, rejecting the adequacy of the Privacy Shield Framework to secure EU-to-US data transfers.

From the U.S. Department of Commerce, Department of Justice, and Office of the Director of National Intelligence, the white paper suggests that the ECJ ruling was interim in nature, pending investigation of U.S. national security practices to better understand whether they comport with EU General Data Protection Regulation norms, such as data minimization, which means collecting only data necessary to the legitimate purpose at hand.  The paper states:

A wide range of information about privacy protections in current U.S. law and practice relating to government access to data for national security purposes is publicly available.  The United States government has prepared this White Paper to provide a detailed discussion of that information, focusing in particular on the issues that appear to have concerned the ECJ in Schrems II, for consideration by companies transferring personal data from the EU to the United States. The White Paper provides an up-to-date and contextualized discussion of this complex area of U.S. law and practice, as well as citations to source documents providing additional relevant information. It also provides some initial observations concerning the relevance of this area of U.S. law and practice that may bear on many companies’ analyses. The White Paper is not intended to provide companies guidance about EU law or what positions to take before European courts or regulators. 

Armed with this additional information, then, the message to the private sector seems to be, Keep Calm and Carry On, using the very same "standard contractual clauses" (SCCs) that the ECJ invalidated.  Yet if the information featured in the white paper has been publicly available, why assume that the ECJ was ill informed?  (Read more about SCC revisions under way, and their likely shortcomings, at IAPP.)

Unfortunately for the U.S. position, the ECJ opinion was not, to my reading, in any way temporary, or malleable, pending further development of the record.  The white paper comes off as another installment in the now quarter-century-old U.S. policy that the emperor is fully clothed.

I hope this white paper is only a stop-gap.  As I said in a Boston Bar CLE recently, no privacy bill now pending in Congress will bridge the divide between the continents on the subject of U.S. security surveillance.  A political negotiation, which might involve some give from the American side at least in transparency, seems now to be our only way forward.

The white paper is Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (Sept. 2020).

Boston Bar panel surveys landscape of privacy law, data protection policy, class action litigation

Attorneys Melanie Conroy, Marjan Hajibandeh, and Matthew M.K. Stein

We had great fun yesterday, as lawyer fun goes, talking about privacy law in the United States, from the impact of the Privacy Shield collapse to the latest litigation under California's groundbreaking consumer privacy protection law.  I was privileged to appear in a Boston Bar Association program on privacy class action litigation, led by attorney Melanie A. Conroy, CIPP/US, of Pierce Atwood LLP, alongside practicing-attorney panelists Matthew M.K. Stein, of Manatt, Phelps & Phillips, LLP, and Marjan Hajibandeh of CarGurus, Inc. 

Our topical reach was a breathless sprint across a dramatic landscape.  We opened with our respective thoughts on developments in privacy law, Conroy observing that the fast-paced field has undergone seismic shifts again and again in recent years, from the implementation of the California Consumer Privacy Act (CCPA) to the $18m Equifax data breach settlement in Massachusetts.

I spoke to the impact of the European Court of Justice decision ("Schrems II" (ECJ July 16, 2020)) invalidating the U.S.-EU Privacy Shield as a motivator for U.S. reform.  Besides the significance of the case in Europe and our foreign relations, the decision signals that a quarter century after adoption of the first European Data Protection Directive, Europe's patience with American recalcitrance has finally run out.

Julie Brill (MS CC) and William Kovacic

Former Federal Trade Commissioner Julie Brill told the Senate Commerce Committee this week that in two years, 65% of the world will be living under data protection laws, most of them modeled after the EU General Data Protection Regulation (GDPR).  As former Federal Trade Commission (FTC) Chairman William Kovacic put it, if we don't pass legislation in the United States, "we will get a national privacy policy: the GDPR."  As I tweeted this week, hearing testimony drove the usually cool and collected Senator Maria Cantwell (D-Wash.) to exclaim, "My God, this is clear, we need a strong privacy law." And Americans are ready; Brill said that nine out of ten Americans now believe that privacy is a human right.

Sen. Cantwell

Our panel ran down the latest developments in class action privacy litigation, loosely divided on the fronts of biometric data class actions, mostly arising under Illinois's pioneering Biometric Information Privacy Act; CCPA-related class actions in California; and data breach litigation.  I ran down cases in the latter vein and talked some about the present circuit split over Article III standing.  Federal courts have divided over whether "theft alone" can constitute concrete injury for constitutionally minimal standing, or plaintiffs must show some subsequent misuse of their data.  This issue is not limited to the data breach area, but has implications across a wide range of statutory enforcement systems, including the Fair Credit Reporting Act.

For my part, I predict that our dawning, if belated, understanding of the monetary value of personally identifiable information (PII) will lead us to the inevitable conclusion that theft alone suffices.  This is evidenced, for example, in Hogan v. NBCUniversal (D.R.I. filed Aug. 27, 2020), over the sale of Golf Channel subscriber identities, which subsequently were associated with other PII and resold.  Though for the time being, my favored conclusion is arguably not the inclination evidenced in the U.S. Supreme Court in Spokeo, Inc. v. Robins, in 2016.  Senator Dick Blumenthal (D.-Conn.) mentioned this week, apropos of current events, that Justice Ginbsburg, joined by Justice Sotomayor, dissented in Spokeo on just this point.

The late Justice Ginsburg; Sen. Blumenthal

Our next panel focus was developments in the First Circuit and Massachusetts.  In Massachusetts Superior Court in Boston, data breach litigation, filed in May 2019, against Massachusetts General Hospital, Brigham & Women's Hospital, and the Dana-Farber Cancer Institute, over online patient-service communications occurring outside secure portals, raises the very question of concrete harm, which may be resolved differently at the state level than under the federal Constitution.  Meanwhile in federal court, the same issue in data breach litigation, filed in March 2020, in Hartigan v. Macy's, highlights the lack of First Circuit precedent on the question since Spokeo, while citing strong pre-Spokeo indications that the First Circuit would favor the misuse-required position.

In parting observations, I offered that we have a long road ahead.  Of all the bills pending in Congress (see EPIC's excellent April report), only some propose a private cause of action and none attacks the problem of government surveillance, both purported prerequisites to European restoration of authorized trans-Atlantic data flow.  Within the U.S Congress, there appears to be bipartisan support for some kind of nationwide privacy legislation.  But the questions of private or FTC enforcement, and whether preemption would mean a legislative floor or ceiling remain sticking points that could derail the process.

EU frets over Privacy Shield adequacy, and NGO insists, emperor still naked

The Commission of the European Union is reviewing the U.S.-EU Privacy Shield framework for conformity with the General Data Protection Regulation (GDPR), and NGO AccessNow is again demanding an inadequacy finding.

A lot is at stake.  For the uninitiated, European regulators have a dramatically different take on the protection of personal information than the free-wheeling free marketeers of the United States.  I've written some about the problem here and elsewhere (e.g., here and here), arguing that the American people are not so far from European privacy norms, but it's our law that lags behind the democratic will.  For my money, the definitive macro analysis of why American and European approaches to privacy have differed is James Q. Whitman's.  Anyway, the GDPR does not allow the export from Europe of information to countries that do not comport with its privacy protections, and that creates a monumental problem for the trans-Atlantic flow of not only information, but commerce.

The problem is not new and existed under the GDPR's predecessor law, the 1995 Data Protection Directive (DPD).  A number of mechanisms were devised to work around the problem, and they were approved by European regulators under the umbrella of "the Safe Harbor agreement."  But it's widely understood, at least on the European side, that Safe Harbor was something of a sham: No one with a straight face could argue that U.S. law was comparable to the DPD.  Safe Harbor in practice comprised mostly industry standards, voluntarily adopted and barely enforced by U.S. regulators.  There's also an important piece of this problem in the vein of national security, government spying, and personal information; I'm not even getting into that.

Privacy Shield is stronger than Safe Harbor, but the GDPR is a lot stronger than the DPD.  There have been remarkable advancements in privacy law in some states, notably California, in the EU direction.  And quite a number of court challenges have followed, winding their way through the process, some derived from objections in the commercial sphere, some the civil rights sphere: you've probably heard of "the right to be forgotten."  But our patchwork state laboratories hardly sum reassurance to Europe.  So in the absence of a comprehensive peace offering at the federal level, the debate over the EU's adequacy determination regarding Privacy Shield pretty much boils down to whether or not we're going to admit that the emperor is naked.

AccessNow, a global NGO and sponsor of RightsCon, has consistently called for honesty about the emperor's sorry state.  A recent memo calls on the Commission to rule Privacy Shield inadequate, and AccessNow has invited republication of a new infographic in support of its position.  I hereby oblige. It's past time we get serious about protecting personal information in the United States and stop commercial exploitation of human identity upon industry's abusive invocations of civil rights such as the freedom of speech and freedom to contract.

[UPDATE, 23 Oct. 2019, at 13:53 U.S. EDT: Privacy Shield still good, per EC report issued today.]