Latest EU Privacy Judgment May Trigger A Journey To Code

The landmark privacy judgment of the Court of Justice of the European Union on July 16 has left the law on transfers of personal data from the EU to the U.S. in a state of confusion, with conflicting opinions abounding on what is now permitted and how U.S. government and businesses should respond. However, there is one area of clarity that is emerging, which is that businesses should commence “a journey to code”.


Minimising data access and use

The issue that triggered the litigation that led to the Privacy Shield agreement between the EU and the U.S. being declared invalid this week is the same as the one that led to the Privacy Shield’s predecessor, Safe Harbour, being declared invalid in 2015: mass surveillance. Although national security and law enforcement activities are both encouraged and supported by European law, which therefore permits of surveillance activities in Europe, it is the idea of “mass” surveillance that is troublesome. Mass surveillance suggests to the EU that the activity is non-targeted and disproportionate, which are anathemas in the European legal order. Instead, Europe requires surveillance activities to be minimised, to the lowest levels of volume, scope and intrusiveness.

Using Standard Contractual Clauses for data transfers to the U.S.

Debate is raging within the community of international privacy professionals as to whether this week’s judgment permits of the use of the EU Standard Contractual Clauses mechanism for EU to U.S. data transfers. One perspective is that the arc of legal ambiguity affects only those U.S. entities that are directly subject to the rules in FISA section 702 and Executive Order 12333, as they pertain to generalised surveillance of foreign nationals abroad, which would cover the likes of telecommunications backbone providers and ISPs, with entities falling outside of these areas being able to use Standard Contractual Clauses, on an ongoing basis, or as an alterative to the use of Privacy Shield. These are complex legal issues and the law is not settled, so concerned entities need to take considered advice, but regardless of how this issue is resolved, this week’s judgment should quickly lead to a conclusion that data use needs to be minimised, not least to reduce the risk of conflict with the EU legal order.

The journey to code

A very influential book by Lawrence Lessig, published in 1999, may point the way for data minimisation and, hence, the minimisation of legal risk in Europe. Code And Other Laws of Cyberspace points out that code is law in cyberspace. This concepts extends directly to European data protection law, which in the context of international data transfers and access to data by public authorities, is concerned primarily with data objects that are contained in, created by, or controlled by code.

Therefore, data themselves should be subject to minimisation treatments. As well as automating rules for data deletion and destruction, these treatments can include encryption. Collectively, a variety of treatments can minimise the risk of data access and exposure events happening, thereby helping to achieve the goals of European law, thereby minimising legal risk.

In conclusion, this week’s judgment of the Court of Justice of the EU should encourage entities to commence, or continue, a journey to code. A journey to code is the natural pathway that flows out of the judgment and the wider body of European law in this area.

3 thoughts on “Latest EU Privacy Judgment May Trigger A Journey To Code

Leave a Reply

Your email address will not be published. Required fields are marked *