Something Else to Worry About: The Death of Privacy Shield

Disclaimer: Reading legal articles on the Internet and applying it to your situation would be silly. What follows isn't legal advice, it's general legal information. If you aren't an attorney, consult one before trying this.

Posted: January 5, 2020

tl;dr: Perhaps the GDPR is more about protecting the EU economy than protecting privacy.

With that in mind, I'm pessimistic about the Privacy Shield surviving EU judicial review. The Privacy Shield is what many U.S. consumer tech companies use to import EU user data into the U.S. Without it, many consumer-facing U.S. tech companies will have to set up shop in the EU to be GDPR-compliant. Or they could stay out of the EU entirely.

The right course of action is unclear.

Perhaps the GDPR isn’t really about protecting privacy. I mean, from an Internet user's perspective, not much has changed since its inception. Companies still collect and use personal data in all sorts of ways. Internet users (EU-based and otherwise) still get retargeted with Adidas ads because last month they were drunk and forgot to go Incognito before Googling for a new pair of Adidas Grand Courts (admittedly, that was me).

Instead, perhaps the GDPR's true aim is protectionist. Perhaps it was designed to hamstring U.S. companies and allow the EU to get their piece of the pie, in the form of job creation and revenue generation.

It's not difficult to find evidence of this in the text: The GDPR says you need to assign an Article 27 EU representative (EU job creation); you probably need to assign a DPO (EU job creation); and you can get fined up to 4% of your sweet, sweet global revenue (EU revenue generation).

U.S. Companies: Do you have any experience?

The EU: No, sir, I have no experience but I’m a big fan of money. I like it, I use it, I have a little. I keep it in a jar on top of my refrigerator. I’d like to put more in that jar. That’s where you come in.

Now consider the latest development: On December 19, the Court of Justice of the European Union's Advocate General opined that Standard Contractual Clauses (aka Model Contractual Clauses or SCCs or MCCs) are legit, buttttt, and this is a crucial buttttt, thinks the Privacy Shield should die in a fire. (By way of background, Advocate General opinions aren't binding on the Court of Justice of the European Union, but they are highly influential. Also, SCCs and the Privacy Shield are ways of lawfully transferring data from the EU to non-EU countries like the U.S.—jump to the appendix at the end if you want a refresher on cross-border data transfers.)

This opinion is a big deal! And nobody is talking about the big dealness of it. Various law firm blog posts (like the ones here (Techdirt), here, here, and here) summarized the report but omitted the implications.

And the first-thought, surface-level takeaway is that everything is fine because, according to the advocate general, SCCs are still a valid way to transfer data from the EU to the U.S.

For example, "If the CJEU follows the AG's opinion, the practical outcome will be that there will be no material change in the options available to businesses for transferring personal data to non-EEA countries." But that conclusion assumes that the CJEU won't take up the Advocate General's implicit offer to rule on the validity of the Privacy Shield. However, if it does, that's bad!

Why is that bad? Because the death of Privacy Shield means you have to set up an EU office as your data controller. This is worth repeating: Without that EU office, SCCs won’t work.

To make it more concrete: Suppose you run a small San Francisco-based online game company. Your game allows players (EU-based and otherwise) to purchase in-game goods in their local currencies and you’ve translated your game into the various EU languages (as a result, the extra-territorial reach of the GDPR certainly extends to you). How do you lawfully transfer data to the U.S. without the Privacy Shield?

You can’t. Impossible. Without an EU-based office to act as a controller, you're out of luck.

Therefore, the death of Privacy Shield means more—significantly more—EU job creation. This implication fits nicely into the GDPR-is-actually-protectionist-legislation theory. Because it fits so well with the protectionist them, I am more worried about the CJEU ruling on Privacy Shield.

I know what you’re thinking (part I): Haven’t we gone through this already with the death of the EU-U.S. Safe Harbor program (RIP Oct 6, 2015)? Yes! That sucked. However, it turned out OK because the EU wasn’t enforcing the thing and had been, for over a year, actively negotiating with the United States to put in place a replacement. This time is different. This time there’s the possibility of GDPR-level $20M or 4% of global revenue fines and, unlike before, I don’t believe there are any ongoing negotiations for a replacement.

I know what you’re thinking (part II): Fine, we’ll switch our AWS instance and host EU user data in the EU. Unfortunately, that’s a significant technical challenge for most organizations. And, even if you do move data to the EU, you still will want to your U.S.-based employees to access it for debugging and customer support. Further, you’ll want your U.S. service providers to have access to EU user data as well.

I know what you’re thinking (part III): Wait, if the EU invalidates the Privacy Shield, it will offer a grace period. Anything else would lead to chaos and disrupt the EU economy. They’d never let that happen. I am not so sure. If the other transfer mechanisms, primarily Standard Contractual Clauses, remain, then EU businesses wouldn’t be disrupted. Instead, the only companies at risk would be U.S. consumer-facing tech companies that don’t have an EU affiliate to act as a controller. Also, there’s precedent. When the CJEU invalidated Safe Harbor, it didn’t offer a grace period.

What are my options?

Option 1: Open a Legit EU Location

Most of the big Internet consumer companies have an EU-based based data controller. That way, they take advantage of the so-called one-stop shop rule, which lets them choose the EU country they want to deal with regarding privacy matters. (Additional benefits: It helps them hire an EU-based DPO and have a backup data transfer mechanism).

So why wouldn’t everyone do this? It’s expensive. To qualify as an EU controller, you need to staff it such that it is the entity that “determines the purposes and means of the processing of personal data.” GDPR Article 3. In practical terms, this means, at the very least, hiring a DPO. IIRC, the Irish Data Protection Commission chastised some companies for not staffing their controllers sufficiently to allow them to “determine[] the purposes and means for processing of personal data.” (All of those companies’ privacy lawyers remained in their U.S. headquarters).

Another problem with this approach is that it dramatically increases GDPR-enforcement risk. More on that in Option 3 below.

Option 2: Open a Half-Assed EU Operation in Three Easy Steps

1. Contract with a company that will act as your controller.
2. Hire an outside counsel to be your DPO.
3. Sign standard contractual clauses.

The benefit of this approach is that it’s cheap.

The downside is that it looks like a sham. The controller isn’t really acting as a controller because it has no say over how the company uses personal information.

The other downside is that you'll still be on the hook, by virtue of a controller-indemnification, for any fines. And, because the controller is right there in the EU, it isn’t hard for a DPC to get that sweet Internet money (note the EU's irresistible temptation to issue lucrative fines ).

Option 3: Abort, abort, leave immediately!

If you’re not going to comply with the GDPR, the next best option may be to not be in the EU at all. Why? Because the EU has thus far been unwilling to try to enforce the GDPR in the United States.

In theory, they could. An EU-based Data Protection Commissioner could issue a fine and then fly across the Atlantic to ask a U.S. court to enforce it. But, from all outward appearances, the various DPCs have been unwilling to even look at a U.S.-only company.

The one exception is the UK’s Information Commissioner’s Office investigation and letter to the Washington Post. And there, the ICO didn’t believe it could cross the pond to enforce its rules (emphasis mine):

“We have written to the Washington Post about their information rights practices,” the ICO said.

“We have told them they should now ensure that users of the Washington Post website have the option to access all levels of subscription without having to accept cookies.

We hope that the Washington Post will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter.”

So what does ignoring it entail? Essentially, you’ve got to ignore a bunch of GDPR requirements. First of all, don’t set up an office in the EU. Next, you’ll have to not appoint an Article 27 representative, because that person or organization will be on the hook for your GDPR violations in the event you aren’t available. Finally, don’t assign an EU-based DPO.

One nice feature of this plan is it is superbly easy to implement.

What are the risks? There are many:

• Future EU expansion could get awkward. I could imagine a data protection commissioner being unhappy with you selling products to EU citizens for years without complying with the GDPR.
• Cross-border enforcement. The EU could come to the U.S. to try to enforce a judgment against you. The U.S. court would have to be satisfied that the DPC had proper jurisdiction and that the fine wasn't contrary to public policy. ‎All of that is questionable but could be expensive to fight.
• EU asset grab. If you’re collecting money from EU consumers, they could likely attach that money or enjoin businesses from dealing with you. International asset forfeiture isn’t my area of expertise, but that sounds like a reasonable possibility.

Do I need to think about this now?

Yeah, probably. At least a little bit. It is likely worth scoping out and weighing the alternatives now so that the CJEU's opinion, which could come in a few months, doesn't blindside you.

Appendix: There Are Three Legal Ways to Transfer Data from the EU to the U.S.

Just to recap, those three ways are BCRs, Standard Contractual Clauses, and the Privacy Shield.

In terms of difficulty, BCRs are the equivalent of the free soloing El Capitan, while SCCs and Privacy Shield are, relatively, akin to climbing over your couch to get some popcorn. In other words, forget about BCRs. Nobody does them.

Between SCCs and Privacy Shield, the SCCs are more limited than the versatile Privacy Shield. Privacy Shield is the Kawhi Leonard to the SCCs James Harden. Too obscure? It’s the George St. Pierre to the SCC’s Chuck Liddell. That’s even worse. Never mind. I’m lonely.

What makes SCC's limited is that they require an EU-located data controller.