UPDATED: EU-US Pact Should Embrace Statutory Pseudonymisation as a Technical Supplementary Measure

It was announced at a joint press conference on 25 March, by US President, Joe Biden, and EU Commission President, Ursula von der Leyen, that the US and EU have reached “an agreement in principle on a new framework for transatlantic data flows” to “enable predictable, trustworthy data flows between the EU and the US, safeguarding privacy and civil liberties.'"

A review of the situation from the following perspectives highlights the narrow path required for any such arrangement to be possible, nonetheless sustainable, namely, trans-Atlantic embracing of technical supplementary measures as recommended by the European Data Protection Board (EDPB) and the senior-most EU regulator, the European Data Protection Supervisor (EDPS).

• National Security Pressures: Earlier the same week as the joint press conference, Politico reported in The Supreme Court just made a US-EU Privacy Shield agreement even harder that “The U.S. Supreme Court’s decision this month in FBI v. Fazaga, a case challenging FBI surveillance, will make it significantly harder for people to pursue surveillance cases, and for U.S. and European Union (EU) negotiators to secure a lasting agreement for transatlantic transfers of private data…The justices gave the U.S. government more latitude to invoke “state secrets” in spying cases. But ironically, that victory undercuts the Biden administration’s efforts to show that the United States has sufficiently strong privacy protections to sustain a new Privacy Shield agreement — unless Congress steps in now.” It is critical to note that the reason for the invalidation of the prior Privacy Shield treaty enabling lawful trans-Atlantic data flows by the supreme court of the EU - the Court of Justice of the European Union (CJEU) - was concern over the surveillance of EU citizens by US government agencies.
• Executive Order versus Congressional Action: It is important to note that only a “deal in principle” has been reached, indicating an understanding that could lead to an actual “deal.” All indications are that such a deal would be in the form of an Executive Order enabling President Biden to act without requiring Congressional endorsement. However, executive orders are only temporary until a new President decides to undo them. The CJEU ruling in the Schrems II decision (the case brought by privacy advocate Max Schrems that led to the invalidation of the Privacy Shield) requires either:

• Guarantees in law which can only be achieved by an Act of Congress (the current Congress is too bipartisan currently to pass a law limiting the scope of US surveillance); or
• Technical supplemental measures recommended by the EDPB and by the EDPS that enable ongoing data processing while safeguarding the fundamental rights of EU citizens to privacy and data protection under the EU Charter of Fundamental Rights.

• Obligations of EU Member State Data Protection Authorities (DPAs): Even if the EU Commission were to pass a treaty, based on an Executive Order issued by President Biden, DPAs from all 27 EU member states would be legally obligated under the CJEU Schrems II decision to force companies to suspend transfers if there is not an essentially equivalent level of protection in the US as there is in the EU.
• Attention of Advocacy Groups: As reported by TechCrunch, “Max Schrems, the privacy lawyer and campaigner whose name has become synonymous with striking down transatlantic data transfer deals (aka, Schrems I and Schrems II) was quick to sound a note of scepticism over what’s been cooked up this time. Responding to von der Leyen’s announcement in a tweet, he wrote: Seems we do another Privacy Shield especially in one respect: Politics over law and fundamental rights…This failed twice before. What we heard is another ‘patchwork’ approach but no substantial reform on the US side. Let’s wait for a text but my [first] bet is it will fail again…Schrems famously — and correctly — called Privacy Shield lipstick on a pig. So, his assessment of the text, when it emerges, will arguably have rather more weight than the Commission’s. Via his privacy advocacy not-for-profit, noyb, Max Schrems also said he expects to be able to get any new agreement that does not meet the requirements of EU law back to the CJEU within a matter of months (e.g. via civil litigation and preliminary injunction).”
• Opinion of EU Data Privacy Lawyers: The following tweet from Gerard Rudden, a Dublin solicitor specialising in data protection, highlights the view of informed EU privacy lawyers:

• As noted by my Belgium attorney colleague, Magali Feys, when improved EU-US relations were first announced, [1]

Sustainable technology and trade decisions cannot be made without considering the ethical impacts on personal rights under the EU Charter of Fundamental Rights. The Schrems II ruling requires organisations to cease the former practice of processing data “in the clear” without protection in place during processing; this practice is unsustainable and exposes unprotected data to security and surveillance breaches. Protecting data during processing - not just when it is at rest or when it is in transit - makes data use sustainable plus increases privacy.

The Executive branches of the US (represented by President Joe Biden) and the EU (represented by President Ursula von der Leyen) will require the cooperation of both the Judicial and Legislative branches of their respective governments to reconcile fundamental conflicts between how the US and the EU enforce privacy rights. For example:

• JUDICIAL CONFLICT: In the EU, the Schrems II ruling by the CJEU requires new technical safeguards to ensure EU-style data protection rights when data is processed in the US due to concerns over potential surveillance by government agencies. In contrast, the US Supreme Court recognises a “third-party doctrine”[2]  under US law which holds that once a person voluntarily gives information to third parties like banks, phone companies, internet service providers, and email providers, they have "no reasonable expectation of privacy".
• EXECUTIVE & LEGISLATIVE CONFLICT: In the US, if an organisation tells a consumer what they plan to do with their data, they can do just about anything they want to so long as it was described to the consumer. In contrast, data protection is a constitutional right under the EU Charter of Fundamental Rights that cannot be infringed even if a data subject is made aware of an organisation’s intent to do so in advance.[3]

Short of Judicial and Legislative action altering US surveillance and privacy laws, the only sustainable approach is trans-Atlantic embracing of technical supplementary measures as recommended by the EDPB and the EDPS to enable ongoing processing of data while safeguarding the fundamental rights of EU citizens under the EU Charter of Fundamental Rights.

• In a December 2021 EDPS webinar, Thomas Zerdick, Head of Technology and Privacy at the EDPS, stated that “After the Schrems II ruling, the debate on pseudonymisation has gained momentum as many consider it as the most viable “supplementary measure” to transfer personal data to third countries not offering an equivalent level of protection.”
• In its final recommendation of Schrems II compliance in July 2021, the EDPB highlighted GDPR-compliant Pseudonymisation as lawful “Use Case 2” for lawful transfer and processing of EU data under Schrems II.
• GDPR-compliant pseudonymisation helps to enable lawful international transfer and processing of global data by establishing by default the processing of protected GDPR-compliant pseudonymised data whenever, wherever, and as often as possible (as required by GDPR Articles 25 and 32) to ensure protected processing within the control of the EU Data Controller (a Data Embassy, [4] as it were) so that non-pseudonymised (i.e., identifying) data is processed only when authorised and necessary to satisfy GDPR Articles 5(1)(b) Purpose Limitation and 5(1)(c) Data Minimisation requirements.

The challenge is that most people are not up to speed on what is required to satisfy the requirements and reap the statutory benefits of Pseudonymisation - both under the GDPR as well as an increasing number of global and US state privacy laws (e.g., the California, Virginia and Colorado privacy laws) which have adopted the GDPR definition of the term.

The lack of clarity regarding the requirements for and benefits of statutory Pseudonymisation was the topic of a January webinar on this topic as well as the inaugural February Pseudonymisation Podcast, sponsored by a LinkedIn group of over 9,400 senior global privacy professionals advocating for increased awareness of statutory Pseudonymisation.

Any hope of a sustainable resolution of the desire for strong trans-Atlantic data flows in compliance with both EU data protection laws and US surveillance laws should include scrutiny of the requirements for and the statutory benefits of Pseudonymisation as a compliant technical supplemental measure under the CJEU Schrems II decision.

[1] See New EU-US Trade and Technology Council (TTC) Must Abide by Schrems II Requirements to be Lawful, Sustainable & ESG Compliant

[2]  US Supreme Court decisions in United States v. Miller, 425 U.S. 435 (1976) and Smith v. Maryland, 442 U.S. 735 (1979) hold that individuals do not have a reasonable expectation of privacy in checks and deposit slips they give to banks (Miller) and phone numbers they dial (Smith) since in exposing them to third parties they assume the risk the information could be handed over to the government. See Congressional Research Service The Fourth Amendment Third-Party Doctrine report.

[3] See Supra, Note 1.

[4] See Data Embassy Memorandum to the EDPB. See also Italian university dissertation on using GDPR pseudonymisation for purposes of creating “Data Embassies” for Schrems II compliance, available at https://www.schremsii.com/epilogue. Data Embassy is also a trademark of Anonos.

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.