Schrems II, Reverse Schrems, and Schrems with a Half-Twist from the Pike Position
Just when you thought it was safe to send your data across the water, the distinctive dorsal fin of Schrems II breaks the surface.
The EU, who can barely be convinced that the UK’s data privacy law is “adequate” despite the UK developing its rules as part of the EU for the past 25 years, decides that US business should be punished because the US government monitors some data for information security purposes exactly like EU member governments also do. Schrems II, with its obvious ambiguity, as demonstrated by the entire spectrum of EU DPA interpretations from Teutonic (“Absolutely no sharing of data with U.S. processors!”) to stiff-upper lip of Britain (“Keep calm and carry on”), tosses well-intentioned companies into an unnecessary and expensive quandary of how to prove that the evil U.S. government will be unlikely to comb their databases for juicy personal data on EU residents.
What to do about such an emotional and destructive decision? Strike back, of course. Such is the world we now inhabit.
Into this morass wades Oregon Senator Ron Wyden with a gig and a rake. This month Senator Wyden introduced the Protecting Americans’ Data From Foreign Surveillance Act, aimed at countries that U.S. intelligence services define as threats to national security. The reasons for the bill, according to the concomitant press release from Sen. Wyden's office, are that “Congress took a major step in 2018, by directing the Committee on Foreign Investment in the United States (CFIUS) to prevent the sale to foreign firms of American companies holding large amounts of sensitive data about Americans. However, these restrictions only apply to the sale of the company, not the sale of data. The Protecting Americans’ Data From Foreign Surveillance Act addresses this critical national security gap, by adding large volumes of Americans’ personal data to the list of items controlled under existing export control laws.”
The Act directs the Secretary of Commerce to compile a list of countries “to which exports of Americans’ personal data would not harm national security, and to require licenses for exports of the identified categories of personal data to other countries in bulk.” In essence, an EU-style adequacy decision. The act includes reviews of the adequacy and enforcement of data protection, surveillance, and export control laws in the foreign country, the circumstances under which the government can compel, coerce, or pay people to disclose personal data, and whether that government has conducted hostile foreign intelligence operations against the United States (are you listening, France?).
This proposed law, of course, is aimed more at China and Russia and less at the EU, who started this data hoarding business in the first place. And it takes a top-down approach of protecting data of U.S. residents as a federal national security priority, where the EU limits data transfers in a bottom-up approach of protecting the privacy of each EU resident. But this doesn’t mean that EU countries wouldn’t be placed on the proposed list of restricted destinations, which could hurt both companies from those countries and the U.S. companies that do business with them.
The Washington Post, writing about the Act, stated “The move could disrupt the multibillion-dollar data-broker economy that seeks to monetize the digital footprints Americans leave behind every day — cellphone locations, browsing histories and credit card purchases that are gathered, bundled and sold for marketing and intelligence purposes without government regulation or oversight and without most people being aware of what information is being shared.” Data aggregators will be most affected by the bill if it passes. But like the various Schrems decisions, this bill can also create obstacles for commerce from any business that operates internationally, providing a new set of costly hurdles in the path of compliant operation. Every restriction on the international transfer of commercial data, no matter how benign the reason for its enactment, makes international business harder to conduct.
If this bill gains traction in Congress, we can consider it the next step in stripping away the One World Data Utopia version of the internet that the U.S. has been endorsing since its inception. This will be a win for the cynical national data silos that totalitarian countries have long sought. Or maybe it would simply be an acknowledgement that the totalitarian countries have already walled off their internets into protected silos and the democracies are keeping their people vulnerable by not doing the same.
In any case, it is difficult to argue that, in an environment where our allies can threaten free flow of data to the U.S. through the Schrems II decision, that the U.S. should not be asserting its national priorities in the same space. China and Russian have pushed for a silo data world, the EU plays into their hands, and the rest of us need to consider whether we are the only chumps left – exposing our people’s data to everyone, when everyone is shutting theirs away from us.
The Wyden legislation is less of a counter-Schrems or reverse-Schrems than a modified Schrems with a twist. It takes the concept of resident data protection on an international scale and twists it to accommodate the cultural priorities of the United States. It is less concerned with personal privacy and more concerned with national security. Yet the effect will be the same if you are a country on the wrong side of an adequacy decision.
Like the EU adequacy decisions, this is a tool to force the rest of the world to accommodate national cultural preferences by restricting a core slice of economic activity. Did the EU Court of Justice think there would not be repercussions for opening this door so loudly?