Must the U.S. Congress change statutory law to solve the major issue of “redress” in the EU-US adequacy negotiations? This is a crucial question, especially since a series of political, pragmatic and even legal/constitutional difficulties mean that the U.S. might not be able to come up with a short-term statutory solution for redress. In this article we analyse this question for the first time in detail, and argue that, provided the U.S. is able to address the deficiencies highlighted by the Court of Justice of the European Union (CJEU) in its Schrems II judgment (independence of the redress body; ability to substantively review the requests; and authority to issue decisions that are binding on the intelligence agencies), then relying on a non-statutory solution could be compatible with the “essential equivalence” requirements of Article 45 of the EU’s General Data Protection Regulation (GDPR). In a second, forthcoming article, we set forth specific elements of a novel non-statutory solution and assess whether it would meet the substantive European legal requirements for redress.

This post provides a link to a chapter of the book “Surveillance and Privacy in the Digital Age: European, Transatlantic, and Global Perspectives” (Bloomsbury Publishing, 2021), edited by Valsamis Mitsilegas and Niovi Vavoula, and is provided here with the permission of the publisher. Cloud computing has revolutionized the ways in which individuals, companies and governments operate in the twenty-first century.  Such progress however can also beget more sophisticated mechanisms for coordinating and executing criminal acts.  When evidence sought by one government is stored on a server in another country with a different data privacy regime, how can these conflicting interests be reconciled?  What are the responsibilities of service providers when such transfers are concerned?

In the IAPP piece New EU data blockage as German court would ban many cookie management providers, Dan Felz and Peter Swire examine the potential EU-wide impacts of a Wiesbaden court decision prohibiting a cookie management provider from utilizing a U.S.-based service to collect data, regardless of whether such data had ever actually been transferred out of the EU. Although the decision was made at the interim injunction stage and could thus be modified if the case proceeds to trial, its implications are significant.

In the Monday, December 20th Lawfare article titled Towards OECD Principles for Government Access to Data: Can Democracies Show the Way?, Theodore Christakis, Kenneth Propp and Peter Swire discuss the role that democracies can play in establishing trusted international standards for cross-border data flows.  Drawing upon documents made available by the Organization for Economic Cooperation and Development (OECD) as well as interviews conducted by the team with governments, institutions, corporate bodies and academic thought leaders in the field, the authors provide a high-level summary of the current state of play in OECD negotiations, new challenges and approaches involved in balancing national security needs with data protection and privacy rights, and what to expect as we approach the new year.

France’s national cybersecurity agency (known as ANSSI) is revising its cybersecurity certification and labeling program (known as SecNumCloud) to disadvantage—and effectively preclude—foreign cloud firms from providing services to government agencies as well as 600-plus firms that operate “vital” and “essential” services. If put into place without changes, it would essentially make it impossible for foreign cloud firms, or firms using services from foreign cloud firms, to be considered “trusted.” The regulation includes severe, China-like restrictions that force foreign firms to store data locally and only use local support and technical staff, which makes it impossible for them to leverage system-wide security and functional services. It also imposes strict limits on foreign ownership and representation on a company’s board of directors. Similar to China, it would effectively only allow local firms to attempt for certification, and thus force foreign firms to set up a local joint venture to try to be certified as “trusted.” This post analyzes the problematic provisions in the proposed update to SecNumCloud.

This post was originally published by the Centre for Information Policy Leadership (CIPL) as part of the series Perspectives on Privacy and Effective Data Use in the Global Digital Economy and Society, and is reprinted here with the permission of same. ​Along with other contributors to this symposium, I have devoted much of my professional life to privacy protection. Throughout my quarter-century in the privacy field, one recurring issue has been what sorts of institutions can serve privacy, while also meeting the other goals that any society has. In the language of Article 8 of the European Convention on Human Rights, how might we best protect privacy while recognizing other interests that are “necessary in a democratic society”? The interests listed in Article 8 would seem vital to consider, whatever one’s view of politics or the just society. They are “national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”