Data Protection & Privacy 2022

The Time Has Come for a New Framework to Develop Agreed “Government Access” Principles Applicable to US-EU Data Flows, as Well as Standards for Evaluating whether Privacy Regulation Is Actually Working

Writing this introduction on data privacy in March 2022 requires solemn consideration of the impacts of Russia’s aggression in Ukraine. Just as the world was not the same after 9/11 and the 2003 Iraq War, global affairs today must be broadly recast in light of the present invasion in Europe.

This is no less true of the privacy and data protection field than it is of other fundamental components of freedom.

The tragedy and lawlessness of the Russian war on Ukraine has demonstrated that the empathetic and democratic ideals of the “West” are intensely shared by transatlantic allies in the USA, UK and Europe – and that such ideals must be arduously defended against the transgressions of countries that reject them.

For data privacy, the implications of this are clear: the time has come to acknowledge that the breach in trust experienced by the European Union following the Edward Snowden leaks in 2013 regarding US surveillance capabilities and practices has become overwrought, stale, largely misguided, and unjustifiably disruptive of US-EU data flows. In other words, the suspicion trained on transfers of personal data from the EU to the USA that could conceivably be subject to US government access for purposes of national security must be tamped down. The collective response of the USA and EU to the democratic catastrophe perpetrated on Ukraine reveals the powerful values the polities share regarding the rule of law, respect for human rights and fundamental freedoms. And, significantly, the powerful, essential mutual reliance on shared signals intelligence across the Atlantic. European national security and US national security are, once again, shown to be thoroughly and intrinsically intertwined.

In this regard, it should not go unremarked that Snowden sought and received refuge in Russia, and not in any member state of democratic Europe. This observation is substantively relevant. It shows how the USA and EU are fundamentally aligned on matters of national security, including electronic surveillance, and not fundamentally at odds. As such, the Schrems decisions, channelling Snowden, erected unrealistic, unnecessary and inappropriate barriers to transatlantic data flows.

Indeed, given the consequences of the war in Ukraine, it would be absurdly incongruous for, let’s say, the Court of Justice of the European Union, to conclude that a company complying with US national security electronic surveillance law does not have a “compelling legitimate interes[t]” to do so under the General Data Protection Regulation, or that such data transfers do not constitute an “important reaso[n] of public interest” for EU member states in line with the GDPR. While the USA and EU have different approaches to regulating privacy, they intrinsically agree on the imperative to preclude unconstrained and unjustified surveillance of ordinary citizens of the world.

Accordingly, the USA and EU must now agree to a reciprocal and sustainable framework of high-level principles for respective government access to personal data for national security purposes. Not only is the USA not the enemy of privacy on this front, but in truth, EU member states could benefit from emulating American checks and balances, oversight and independent safeguards on intelligence agencies and electronic surveillance. Of course, the USA should be prepared to reciprocate the learning experience where Europe has developed effective safeguards.

Is Data Protection Legislation Actually Working as Intended?

Switching gears, even as a massive global assault on human rights is unfolding in Eastern Europe, the more quotidian dimensions of privacy and data protection, and regulation of commercial data practices, all still remain vitally important. However, in the spirit of focusing on first principles, the question should be asked whether regulatory juggernauts such as the GDPR and its American counterpart, the California Consumer Privacy Act, are in practice working well to protect fundamental privacy rights with proportionate (ie, justifiable) impacts on other fundamental interests of society.

The answer to this question may very well be “yes.” But has either or any jurisdiction posed this question to itself. “Privacy” is unquestionably a fundamental right in the democratic world, but do today’s heavily bureaucratic frameworks actually increase protection for personal privacy, human dignity and individual freedom? Is anybody really checking?

In sum, readers of this year’s Data Protection and Privacy guide should reflect on whether it is about time to declare a truce on the Snowden/Schrems battlefield, and on whether current laws that mandate uber-regulatory privacy protection truly deliver. Do they facilitate essentially legitimate data practices (within reason), do they establish a reasonable relationship between business interests and data subject rights, and do they identify and prohibit or effectively penalise abusive and unfair data practices (commensurate with their harm)? Privacy and data protection regulation that is excessively burdensome is hardly desirable.