On 9 January, the European Parliament’s civil liberties committee, LIBE, discussed the Privacy Shield arrangement between the EU and the US.
While the debate was framed around the third annual review of the agreement, which allows the transfer of personal data from the EU to the US under a voluntary certification scheme, one question about whether the EU could do a deal with a single US state stood out.
Privacy Shield has come under fierce criticism from MEPs for failing to sufficiently safeguard European’s data. The primary complaint is that US intelligence services can ride roughshod over the principles behind European data protection and that getting redress is beyond the reach of the average EU citizen.
In light of this, and with many MEPs calling for the Privacy Shield arrangement to be struck down – something that may well happen due to an ongoing case, “Schrems II”, before the European Court of Justice – Pirate Party MEP Patrick Breyer asked whether it is possible for the European Commission to grant “adequacy” to an individual US state.
The state he had in mind is obviously California, which enacted the California Consumer Privacy Act (CCPA) on 1st January.
Bruno Gencarelli representing the European Commission, said that under the General Data Protection Regulation (GDPR) an arrangement with a sub-federal territory is indeed possible. The exchange sparked an online discussion between privacy experts about the possibility of such an arrangement.
One of the big questions is whether an individual US state could request such a deal without federal consent. For example, German Länder can enter international agreements, but it needs to be within their competences and they need the approval of the German federal government. Similarly, according to Article I, section 10, US Constitution, US states can only enter a legal compact or agreement with a foreign state with the consent of Congress.
However, Ralf Bendrath senior adviser on digital rights for the Greens political group in the European Parliament pointed out on Twitter: “Adequacy is not an international agreement, but a unilateral decision by the EU Commission.”
Chair of Digital Rights Ireland, TJ McIntyre, said that “in principle I don’t see why you couldn’t have adequacy determinations limited to individual territories within a third country.” But he pointed out that one obstacle may be that “the GDPR envisages contact between the EU and the third country, not an individual region. For example Art.45(6): “The Commission shall enter into consultations with the third country.” A solo run by a US state would be problematic,” he said.
Ian Brown, CyberBRICS professor at FGV Law School, said he too had discussed the issue: “I cannot see it is possible in GDPR terms, and also because California is of course subject to decidedly inadequate federal law, and couldn’t stop onward transfer of data to other States.”
Rónán Kennedy, member of the Law School at the National University of Ireland Galway, picked up the same point: “How difficult, from a legal and technological perspective, would it be to ensure that EU personal data was not transferred outside CA? Cloud providers do offer hosting that will keep data within the EEA, but can they offer similar control of location at the US state level?”
Chris Hoofnagle, adjunct professor in the School of Information and in the School of Law at the University of California, Berkeley weighed into the conversation online with his expert US perspective: “The Constitution vests power to ‘regulate Commerce with foreign Nations’ in federal government, so Congress could block and in past years, bills have been introduced to discourage European rules, but times have changed.”
“The new initiative (the 2020 one) is poised to seek adequacy for California. Presumably there would be pieces of paper that are taken VERY SERIOUSLY that promise a geographic limitation. But really seriously, California is huge and one could have regionally-separate systems in both Northern California and Southern California,” he continued.
“There are probably contract law strategies to defang 1st Amendment data selling arguments with regard to Europeans. But the CCPA will have 1st Amendment challenges related to opting out, deletion, and ‘do not sell my information.’ This is in part why the privacy advocates were lukewarm on CCPA — they wanted a fully opt-in system. But such an approach is fragile, especially because CCPA protects all personal information, not just what judges think is ‘sensitive.’
“Now the question is whether companies will think that they have free rein to sell data, so long as they do the website disclosure. I thought companies would do anything to avoid the disclosure, but even the biggest brands are doing it (and thus can sell),” he concluded.
Walter van Holst, Senior consultant at Hooghiemstra & Partners was also wondering whether California would be competent to request such status under the US Constitution, but, regardless, “at first glance the CCPA shouldn’t qualify for adequacy anyway,” he said.
“It is an excellent question, nonetheless. It is for now mostly hypothetical, a carrot being waved in front of the California-based tech companies. ‘If you had fought less hard against this law, it might have given you an excellent opportunity.’ But long story short: I think California requesting adequacy would be interesting. The Commission may take it into consideration, but would on substance be unlikely to grant it. So, this is more a political show of a positive agenda than legally obviously feasible,” he concluded.
While the question might be more theoretical than practical at the moment, should Privacy Shield be revoked, businesses may well consider that California is at the very least a slightly more expedient place to store data. Expect privacy advocates to widen the debate to put pressure on for a more GDPR-like law at US federal level as well. The question may well be abstract, but it is not without its uses.