In today’s episode Monica Verma talks with an industry leader & technology lawyer Jan Sandtrø, who's been working with technology, privacy & their intersections for more than 20 years. In this episodes engaging conversations, they covering
a) What is Schrems I, Schrems II & what's US Foreign Intelligence Surveillance Act to do with it?
b) Is CLOUD act any less invasive?
c) All apps and applications are tracking us. What can you as a user do?
1. Why is Europe in kind of a data transfer 'limbo'? How did we get here?
"Max Schrems, he understood that much of his data—you know how much data—was transferred to the US and was available to the US surveillance authorities. And he didn't like that of course! Then, before he was a lawyer, he went to the—I think it was the first— Irish supervisory authority (Irish Data Protection Commissioner) and requested that they should impose a restriction on Facebook to transfer the data. And then the matter went to the European Court of Justice (the ECJ is the supreme court of the European Union, and part of the Court of Justice of the European Union, the CJEU). And the ECJ found that it was not legal to transfer the personal data to the US. And that was 'Schrems I' (Case C-362/14). And that terminated the Safe Harbor agreement. And then we had a period until the EC and the US Department of Commerce got an agreement, the next agreement called: the 'EU-US Privacy Shield'. I'm mostly impressed of the names of these deals. I don't know what the next one will be... the 'Super Safe Something'? And then this also went to the ECJ through the Irish supervisory authority. And then recently, the ECJ found that this agreement was neither okay, because the US surveillance authorities still had access! And we have to take into consideration that the EC—, they approved this arrangement or agreement to approve revisions. And then it was not good, or not sufficient, as the court provided. So, that leads us to the 'Schrems II' decision (Case C-311/18), which said that the Privacy Shield is no longer a valid basis for transfer to the US.
2. What is the CLOUD Act?
"The CLOUD Act came after 'The Microsoft Decision', or 'The Microsoft Ruling', for some years ago, where the prosecution authorities in the US needed some evidence. It was in six or seven courts until it made it to the High Court. And before it was a decision by the High Court, the CLOUD Act was imposed, and the CLOUD Act was endorsed by Microsoft, etc. Because then they didn't have a case anymore. They could hand over the data, or have to hand over the data, but it was a legal basis. So the CLOUD Act was imposed to get criminal data. Almost all countries in the world can request the data based on criminal charges from any country in the world. So they make a request, and then you have a decision in that country to hand it over. And that's normally done under 'The Budapest Convention'. So the CLOUD Act in itself didn't invent so much, or bring so much new. It was more to have the formalization of the process.