A Global Disconnect: Regulation of Commercial Privacy Practices and Government Surveillance

Data protection laws are stacking up: the EU General Data Protection Regulation (GDPR), the UK GDPR, Brazil’s General Data Protection Law (LGPD), India’s Personal Data Protection (PDP) bill. The list goes on and is poised for growth. Privacy is taking center stage both nationally and globally, but efforts to regulate it are equal parts far-reaching and disjointed.

The GPDR and many newer laws modeled upon it create omnibus protections for personal data across the private and public sectors. In each case, processing personal data related to national security needs, a bucket that government surveillance typically fits in to, is excepted—within the jurisdiction where the law is adopted at least.

When it comes to international data transfers, the GDPR demands that foreign data protections in the national security sphere be assessed alongside commercial ones. This dichotomy has placed the two issues—commercial data processing and government surveillance—on a collision course. In July 2020, when the Court of Justice of the EU (CJEU) handed down its “Schrems II” decision, the wreckage of yet another crash was strewn globally.

Policymakers and companies around the world are now working to pick up the pieces. They are coming together, in the Organization for Economic Cooperation and Development (OECD) and elsewhere, to discuss how they might move forward together.

Where We Stand Today

In the Schrems II decision, the CJEU invalidated a cross-border data protection and transfer mechanism—the EU-U.S. Privacy Shield Framework—on which thousands of companies depended to move personal data outside of the EU to support global commerce in compliance with the GDPR.

This was the second such invalidation in a handful of years. The CJEU struck down the preceding framework in 2016. The 2020 ruling stemmed from longstanding EU concerns regarding U.S. protections governing surveillance—specifically those outlined under Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333.

Commercial contracts, after all, cannot bind government authorities.

In addition to invalidating Privacy Shield, the court charged companies using all other GDPR-approved transfer mechanisms to move data globally with assessing whether foreign protections for government access to personal data are aligned with EU law. Where they are not, the CJEU said, companies must put in place additional safeguards to ensure equivalent protection or put a stop to data transfers.

The European Data Protection Board (EDPB) issued recommendations to help guide businesses, but acknowledged that in many instances, no suitable safeguards could be found. Commercial contracts, after all, cannot bind government authorities. In fact, the EDPB pointed out that the technical safeguards it recommends most highly to render data inaccessible to government actors—such as encryption—would make many types of processing, which require access to the data itself, worthless.

As a result, companies around the world are in a bit of a bind. Navigating compliance is confusing, time-consuming, costly, and sometimes impossible.

Where Governments Could Take Us

Governments have recognized that at its core, this is a problem companies cannot solve. To move forward, government authorities are discussing short and long-term options. The United States and the European Union are working on an enhanced Privacy Shield Framework. Other EU “adequacy” assessments, including with the United Kingdom and South Korea, are also in progress.

Ultimately though, governments are beginning to recognize that this is a global challenge and one that must be addressed on a multilateral basis. Encouragingly, governments have agreed to come together in the OECD to develop trusted principles for government access to private sector data. Where government demands for data intersect with commercial data processing (i.e. compelled access), they are discussing a set of global norms and protections. If successful, their efforts could better separate these two issues once again, allowing companies to focus on the strength of the protections they can control rather than on assessing and challenging those on which they have far less influence.

How We Might Get There

While foreign surveillance practices seem an unlikely candidate for a friendly accord, stakeholders have four reasons for optimism. First, law enforcement and intelligence authorities, with an understanding of data needs and the ability to implement new protections, are sitting down together at the OECD rather than speaking through their commercial or diplomatic counterparts. Those involved in discussions report that they are making progress and proceeding with urgency.

Second, OECD members have already endorsed common privacy principles—in the Budapest Convention on Cybercrime, the International Covenant on Civil and Political Rights, and the OECD Privacy Guidelines themselves.

Freedom from unreasonable and disproportionate surveillance is a hallmark of democracies.

Third, stakeholders can draw on three recent international agreements on information sharing and data protection in the law enforcement arena—the Umbrella Agreement, the Terrorist Finance Tracking Program Agreement, and the UK-U.S. Agreement under the U.S. CLOUD Act—to implement privacy principles in a related realm.

Fourth and finally, government officials understand that that our countries’ shared security and economic prosperity demand that they chart a path forward together. They recognize that businesses operating on their shores rely on global supply chains, a borderless internet and the data flows that allow them to engage with customers around the world. They also know that protecting their citizens is a joint endeavor supported by allies, as demonstrated by the data sharing accords noted above. In both regards, government officials can and have come together to ensure that where data flows, protections follow.

Freedom from unreasonable and disproportionate surveillance is a hallmark of democracies. Affirming that on a multilateral basis could help preserve open communication between our societies.

Caitlin Fennessy is the research director at the International Association of Privacy Professionals (IAPP). Prior to joining the IAPP, Fennessy was the Privacy Shield director at the U.S. International Trade Administration.