NPA 2023 Keynote: Rules on data transfers can limit freedom of speech





The Nordic Privacy Arena (NPA) is an annual conference for people working in the field of data protection. The 8th edition of the NPA was held as a semi-digital event on 25-26 September 2023. The conference featured no less than 20 agenda topics on data protection and had more than 300 on-site participants at Münchenbryggeriet in Stockholm. Participants also attended online. This is the first of three articles highlighting some of the lectures and discussions that took place.

International transfers was one of the main themes of the conference. Two keynote speakers, Kim Parviainen, Partner at Castrén & Snellman and Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy Practice, Fox Rothschild LLP, shed light on the topic of transatlantic data flows from an European and American perspective.

The future of the EU adequacy framework – the EU perspective 
Kim Parviainen, Partner at Castrén & Snellman

In his keynote Kim addressed the challenges associated with the international transfer of data, particularly between Europe and the US. He emphasised the need for a reassessment of the current legal framework and highlighted the tensions between European data protection requirements and the US legal system. He said that he does not know if the transatlantic data privacy framework will hold if it is challenged in the European Court of Justice.

He encouraged us to look at the issue of international transfers from a wider perspective such as viewing Data Protection also in relation to the right to freedom of speech. For the purpose of creating a discussion he said that we have now locked ourselves in an impossible legal situation because US law was considered incompatible with EU data protection law by the European Court of Justice and that there is not much controllers can do about it according to the guidelines of the EDPB. 

Kim highlighted the main problems identified in the Schrems decision II: the lack of necessity and proportionality in interferences with data protection, and the lack of legal remedies for those who feel their data protection rights have been violated. These problems were not only due to the GDPR, but had their roots in the constitutional rules, namely in the Charter of Fundamental Rights of the EU.

Further he also mentioned the changes the US has made to address these issues, including an executive order requiring necessity and proportionality in intelligence operations and the establishment of mechanisms such as the Civil Protection Officer and the Data Protection Review Court.

He went on to explain that there are two legal frameworks that apply in parallel. In this case, it is both the Charter of Fundamental Rights of the European Union and the European Convention on Human Rights (ECHR). The EU Charter states that the protection it provides should never be less than the protection provided by the ECHR. He further explained that transfers of personal data is a matter of fundamental right but then reminded us that we also should take into account other fundamental rights in addition to the data subjects whose data is being transferred.

Kim referred to extracts from the Charter of Fundamental Rights of the European Union, in particular Article 7, which deals with the right to privacy, and Article 8 (1) on the right to data protection. He also referred to Article 51 (1) of the Charter, which states that these rights may be restricted in certain circumstances. He pointed out that these restrictions must be provided for by law and must respect the essence of the right(s) and freedom(s). They must also comply with the principles of proportionality and necessity.

Kim then explained that the transfer of data outside the EU is an interference with our right to data protection. He pointed out that the justification for this interference must be examined under Article 51(1). Whether this is a legal restriction is likely to be a topic of debate. He also mentioned Article 11 (1) of the Charter, which deals with the right to freedom of expression, including the freedom to hold opinions and to receive and impart information and ideas freely.

After referring to these frameworks that protect the fundamental rights to privacy and freedom of speech and in what cases they can be limited he went on to say that we need to remember to also look at other values than just privacy. He mentioned the Bodil Lindquist case from Sweden where a private citizen was held to be a data controller after publishing information about other people on her website. He also referred to the Buivids case where for example a citizen recorded footage of when police officers used excessive force. In cases like this, a person that publishes such footage online could be considered as a data controller who transfers personal data to a third country. He also mentioned the Rynes case, where a man who installed a security camera at his home after a break-in was also deemed a data controller.

Kim reflected on these cases and stated that it could be seen as an interference with the freedom of speech if individuals in cases like these can be deemed as data controllers subject to international transfer rules.

US perspective of the new EU-US Framework
Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy Practice, Fox Rothschild LLP

Odia’s keynote speech focused on the commercial part of the transatlantic data privacy framework, how American companies are processing personal data. One thing that she emphasized was that surprisingly, very little had been changed in comparison to the Privacy Shield principles. The Article 29 Working Party (the predecessor of the European data protection board under the legislation before the GDPR) had been very critical of the principles.

At the same time one of the key messages of her presentation was that a lot has changed in practice the United States during the past 20 years, even though the rules have not changed so much on paper. She went on to explain that the Federal Trade Commission (FTC) which enforces privacy rules has a completely different approach.

The FTC is taking action against companies for violating privacy as a matter of unfair and deceptive practices. Odia said that although there is no federal privacy law in the United States, the FTC plays a more significant role in privacy enforcement and has taken a more proactive and assertive role.

According to Odia, the UK Adequacy Decision acknowledges the difference in the enforcement mechanisms, considering the general framework in the US, the FTC’s actions, and state law. 

Odia stated that the current landscape of data transfer regulation is complex and continuously evolving, with institutions like the FTC playing a critical role in shaping and enforcing the rules. She went on to explain how data protection enforcement in the US had changed significantly, by using the BetterHelp case as an example. The Federal Trade Commission (FTC) fined an online therapy service provider $7.8 million for sharing client metadata with Facebook, Google, and other platforms without the consumers’ knowledge or consent. 

From a US perspective, she said, the FTC’s stricter enforcement is groundbreaking, and she also pointed to the fact that the US Department of Commerce will conduct more random inspections, which is evidence that there has been a significant change in the way the United States approaches privacy enforcement.

In addition, Odia pointed out that the definition of ’personal information’ in several states’ laws has also evolved significantly. The Californian privacy law (CPRA), for example, now has a broad definition of personal data similar to EU GDPR and addresses the use of AI for surveillance in public spaces. In addition, the view of how public data can be used also seems to be changing, as the Federal Trade Commission (FTC) has spoken out on the use of data by companies in an unexpected way for consumers.

Odia went on to say that she has also seen state laws that have developed rules for privacy notices similar to Articles 13 and 14 of the GDPR, and that the FTC has also issued guidance that addresses profiling in detail. With respect to consumer financial data, the U.S. Consumer Financial Protection Bureau is also more ambitious in enforcing data principles such as accuracy, purpose limitation and data minimisation.

She continued to give examples where state laws now include stricter rules on incompatible uses of data, as well as tighter restrictions on the use of sensitive personal data such as gender identity, immigration status and the like. All US state laws governing the use of personal data now include provisions that give individuals the right to access any personal data that companies have stored about them.

In summary, Odia painted a vivid picture of how US law has changed over the last 20 years and that enforcement on personal data provisions have become much more similar to EU data protection rules.