In BigIDeas on the Go, Matt Getz, privacy and compliance lawyer for Boies Schiller Flexner LLP and former arbiter on the EU-US Privacy Shield Framework, discusses the widespread implications of the Privacy Shield decision — plus his work on Brown vs. Google, the upcoming class action “incognito mode” case that is already topping headlines.
What the Schrems II Decision Really Means for Data Privacy
On July 16, the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield, an agreement between the United States and the European Union on how US companies handle personal data for EU users, calling US protections “inadequate” under the framework.
The decision, commonly termed “Schrems II” because it comes out of the ruling for Facebook vs. Schrems, has widespread implications for the transfer of data across borders. “Frankly, if we take this through to its ultimate effect,” predicts Getz, “bulk transfers of data to the United States are going to get really, really difficult.”
Before the landmark decision to overturn Privacy Shield, which more than 5,000 EU companies used when transferring personal data to the US, “very few” disputes involving Privacy Shield had arisen, and the European Commission consistently gave it “glowing reports,” says Getz.
“In fact, the program, I felt, worked quite well from the point of view of data subjects. There weren’t a lot of big issues, which is why I think the Schrems II decision is so interesting in a lot of ways.”
The “Headless Chicken” Reaction to Schrems II
Effective or not, a lot of signs suggested that Privacy Shield’s number might be up. “There had been a lot of knives out for the Privacy Shield program from the moment it started. Some NGOs were against it, the Irish courts it went through were not very happy about it, of course, Mr. Schrems was opposed to it.”
Even though Schrems II did not invalidate Privacy Shield’s Standard Contractual Clauses (SCCs), it created a lot of uncertainty regarding exactly what “supplementary measures” and “additional safeguards” may be needed in the future to protect data moving between the EU and the US.
The data protection authorities and European Data Protection supervisory board experienced “a bit of headless chicken reaction” to the Schrems II ruling. When it comes to “what data controllers and exporters have to do relating to standard contractual clauses, nobody really knows what that means — and what they’re supposed to do now,” says Getz.
“They all said, ‘Oh, we welcome the decision. And we’re thinking about it, and we’re going to come back to you and tell you what you need to do.’ So that says to me,” says Getz, “that they were surprised as well, and didn’t have contingency plans in place.”
What’s an EU Company to Do in the Meantime?
While the Privacy Shield decision goes into effect immediately, Getz believes that companies in the EU can probably look forward to “a lot of latitude and leeway in terms of enforcement. I think the parties are going to let people start working out what to do and not take immediate action.”
In the interim, forewarned is forearmed — as tends to be the case in matters concerning data privacy.
“I think the very first thing to do, for anybody who hasn’t, is to do an audit and to work out exactly what data it is that you’ve been sending across using Privacy Shield, and work out if there are other ways that you can send it across. Work out what other measures you can use — if anonymization can work, if pseudonymization can work.”
In terms of preparing for the unknown supplementary measures and safeguards that lie ahead, “there need to be regular audits and reviews by companies, by controllers and exporters, of exactly what’s happening with their data and where it is.
“People are going to need to look more closely and put a bit more time and resources into assessing what data is going across.”
While all eyes are on how this affects data transferred to the United States, “if you take this decision to its logical conclusions,” says Getz, “it seems to me that almost any large-scale transfers from the EU to a country that does not have an adequacy decision — and remember there are only about 12 or so countries that have adequacy decisions — any one of them would probably be in breach of the rules.”
Brown vs. Google — How Private Is Private Mode?
In addition to his work on Privacy Shield, Getz is also on the legal team for the Brown vs. Google case, a California class action suit that relates to Google’s data processing activities when people browse in private, or “incognito” mode.
“The headline is, just about everybody who’s been browsing privately — and thinks that they are browsing privately — actually hasn’t been because Google has been collecting and using and storing the data.”
Google states that it does not track your data when you browse in incognito mode, but “because of the way that Google Analytics and Google Ad Manager work — because they’re embedded on the websites of more than 70% of all publishers — if, while you’re browsing in private, you visit a page that has Google Analytics and Google Ad Manager on it, like the New York Times, the Washington Post, BuzzFeed, Reddit; they’re all over the place, then Google actually is collecting and processing and storing users’ data.
“And [Google] is keeping that data and it’s doing things with it, even though people think that Google is not taking the data. We think that this is a violation of the California privacy laws.”
Though the case is “in very early days,” and Google hasn’t even had to respond yet, the implications of going after an internet giant like Google may drive home the point that “if people are gonna walk the walk, they’re gonna have to talk the talk,” says Getz.
Listen to the podcast to learn more about Getz’s predictions for Schrems II and Brown vs. Google.