International: Choppy waters
Most people know that water covers nearly three quarters of the Earth's surface. We also learn in school about the water cycle involving evaporation and precipitation, which basically means that water is always moving. And whether we learnt it in school or not, we all know that water is precious and vital for all forms of life, including our own. So, while it has become a cliché to say that data is the new oil, it is actually more accurate to say that data is like water - ever present, fluid and vital. Data is also big business - particularly personal data - but as with water, no matter how abundant it may seem, personal data must be handled responsibly and with respect. One of Earth's most powerful courts - the Court of Justice of European Union ('CJEU') - has now confirmed what this responsibility means in a global context and, as a result, we are in choppy waters.
With the relentless growth of digital networks over the past 30 or 40 years, global data flows have become an essential part of how we live, work and communicate. Like the water in our oceans and seas, data flows in interconnected and unrestricted ways. The internet owes its very existence to the objective of providing reliable communications during a serious international crisis. Throughout the years, different legal frameworks have attempted to place limitations on international data transfers for different reasons and with different degrees of success, but data has continued to flow. The CJEU decision on the Schrems II case unequivocally confirms that such limitations must indeed be maintained under European law. The real question is how to make such rules work in practice when the truth is that data is bound to continue to flow.
International data transfers are not the result of tech companies' business plans. They are the result of a technological evolution that has sought to meet our human demands. As progress was driven by our digital capabilities, international data transfers became essential for the modern world. That was true yesterday and remains true today, irrespective of the legal nuances that we now face. So the answer to any legal framework that seeks to restrict international data transfers in the name of the protection of personal data is not to stop the data from flowing. Data localisation is not a solution. It is short-sighted political wishful thinking. The CJEU is aware of that and has not called for the retention of personal data within the boundaries of the EU. What we need is creative but realistic ways to seek the protection sought by the law irrespective of the forces of the tide.
In the world of data, the tidal forces also move in many different directions. Much of the current focus is placed on transfers of data from the EU to the US, but it would be wrong to present Schrems II as purely a conflict between European data protection and American surveillance. The CJEU's decision is actually about finding a formula to navigate the turbulent waters of global data transfers that is compatible with the requirements of the GDPR and the political realities of the world we live in. Government access to data is one of such realities - in the US and everywhere else. The CJEU is steering us - as it has always done - in a direction of travel which seeks a balanced approach to that access rooted in democratic principles and effective remedies for individuals.
This leaves us looking for solutions. But we are not stranded in a dingy in the middle of the ocean. We should rely on the CJEU's wise words to find a way forward based on privacy and data protection safeguards that ensure an adequate protection for our digital lives. Personal data will never stop flowing but that does not mean that we should be resigned to drown in a sea of legal conflicts.
Eduardo Ustaran Partner
Hogan Lovells International LLP