Should I do a Twitter thread on the European Court of Justice's #PrivacyShield ruling in #SchremsII? Seems like a good thing to do and honestly who doesn’t love story time? Here we go! (Caveat: just speaking for myself here)

So basically, it's 2015 all over again! 1/n

2/ I feel 5 years younger just typing this. Today’s invalidation of Privacy Shield by the ECJ is basically what happened to the EU-U.S. Safe Harbor arrangement that preceded the Privacy Shield.

3/ This is a story about whether data controllers can move EU personal data to a non-EU country.

4/ Under GDPR (and the Data Protection Directive that preceded it) data controllers (can only transfer an EU data subject's personal data to a country where it will be "adequately" protected.

5/ An adequacy determination by the European Commission is a holistic question covering the state of consumer privacy law, surveillance law, and rights of redress against companies and the government.

6/ The EC has to find that the country in question's environment affords a level of data protection "essentially equivalent" (but not identical) to what the data receives in the EU.

7/ The U.S. has never been deemed adequate, thanks to a dearth of consumer privacy laws + our surveillance regime post-9/11, which does not offer too much in the way of restraint or rights of redress.

8/ The EC has never really had to do a self-critical examination of EU member country surveillance regimes (they get an automatic pass for this particular purpose), but we'll soon get a test for the post-Brexit UK (cc: @astepanovich)

9/ So as a stopgap, the EU and U.S. have negotiated agreements that allow companies to commit to the FTC that they will protect data in a way that is adequate according to the EC, at a much higher standard than what is otherwise required in the U.S.

10/ In 2015, the first agreement (in effect since 2000), the Safe Harbor, was struck down by the ECJ following a case brought by Max Schrems.

11/ Schrems argued—and the largely ECJ agreed—that the U.S. surveillance regime as exposed by Snowden meant that the protections of the Safe Harbor were insufficient to protect EU person data from unreasonable and unredressable access by U.S. public authorities.

12/ (there were and are a lot of misconceptions about how U.S. surveillance authorities operate, but we'll call the Schrems I decision "mostly not wrong")

13/ Fortunately, in 2015, just as today, Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs) continued to operate as alternative measures through which cos could commit their U.S. operations + vendors to an adequate level of protection, as approved by the EC.

14/ Privacy Shield was a successor agreement negotiated in 2016 to beef up the level of data protection offered by companies who commit to it.

15/ In the lead up to its adoption, the U.S.: 1) created an Ombudsperson in the State Department to oversee surveillance practices as applied to non-U.S. persons, and

16/ ... 2) passed the Judicial Redress Act to afford EU persons some new redress rights under the Privacy Act with respect to data held by the U.S. government (subject to a bunch of exceptions).

17/ The U.S. otherwise did basically nothing to reform its surveillance laws, aside from pass the USA FREEDOM Act (which significantly restricted a domestic metadata collection program and introduced amici to the Foreign Intelligence Surveillance Court).

18/ Fast forward to today, and it looks like the ECJ basically said all of that wasn't enough to make data protection conditions in the U.S. under Privacy Shield adequate. Thanks again, Max Schrems! More or less the same problems exist today as in 2015.

19/ Really, it seems the only answer the ECJ will accept is a wholesale reform of U.S. surveillance laws (FISA, EO 12333, etc.) as applied to EU persons.

20/ While the EU and U.S. sort out what to do, companies should be able to move personal data from the EU to the U.S. under SCCs and BCRs.

21/ There are some open questions on whether SCCs can operate within a country not deemed adequate by the EU (but then what’s the point of SCCs?), so expect more there.

22/ Anyway, this is long thread saying that surveillance regimes are a big pain in the ass for some corporate data transfers and processing across borders. Expect more guidance on this from EU DPAs and the Commission. FIN.