Ep.27 | EU/US data privacy framework explained (Guest: Matthew Baker)

Show Transcript

[00:00:00] Hello and welcome to episode 27 of Privacy Lawls where I Donata Stroink-Skillrud speak with amazing privacy professionals and we have some laughs along the way as well. Today I’ll be speaking with Matthew Baker about a recent decision by the European General Court affirming the EU US data privacy framework.

Matthew is the chair of Baker Bot’s privacy and Cybersecurity practice, a certified information privacy Manager and a certified information privacy professional for the US and European jurisdictions. Matthew’s practice spans data privacy, cybersecurity crisis management and incident response, and he helps clients navigate the complex web of regulations, advancing technologies, and cyber threats.

Matthew, thank you so much for joining me today. Absolutely. I’m happy to be here. Thanks for the invite. Of course. Um, so you chair your firm’s privacy and cybersecurity practice group. What are the [00:01:00] advantages of having a practice group that focuses on these fields specifically? Yeah, that’s a great question.

I think in today’s environment, um, of constant data threats and evolving privacy laws. Having a dedicated privacy and cybersecurity legal team is extremely valuable for clients. I see a few big advantages to having these types of dedicated practice areas, and the first is really about specialized expertise.

I think privacy and cybersecurity law is complex and fast moving, and it requires a really dedicated focus. And by having a team that. Ably eats, sleeps, and breathes these issues, we can ensure that no detail is missed and that we’re well versed in the nuances of relevant laws and standards, especially as technology and innovation push forward as rapidly as it has been.[00:02:00]

Mm-hmm. I also think that. Having these dedicated practice groups helps with navigating evolving regulations, so privacy rules are constantly changing, as I said, and emerging across all jurisdictions, and they can be nuanced and they can be different. And so having this dedicated practice where people are staying on top of all this helps to serve our clients’ interests and help them stay compliant and resolve risk.

Yeah, on the cyber side of the house, on the cyber side of the house I think having a dedicated team helps with incident response readiness. Data breaches and cyber incidents require immediate skillful handling and having a dedicated privacy and security team means our clients have. A breach response council on call who’s [00:03:00] experienced in managing these crises.

And I know a lot of different firms and a lot of practice areas have crisis management and incident response. There is a difference between physical and cyber and having that really necessary expertise is critical. And finally, I think the multi-jurisdictional approach and strategic insight is really valuable here because privacy really it touches on all kinds of.

Areas. It, it’s practice agnostic. It’s industry agnostic, and it takes not just legal acumen, but also technical and business awareness, but also cultural awareness. And so having a really dedicated group that’s experienced in working with companies and organizations that operate in multiple jurisdictions, in multiple different areas on a global platform, helps to understand the way that what clients are doing.

With personal data has an impact on [00:04:00] the end users or the data subjects, and we wanna make sure that those are protected and that trust is embedded in what companies do, whether it’s for external data subjects or internal ones. So these kind of dedicated privacy and cybersecurity practice groups. I, I think they provide really specialized knowledge, agility.

And just comprehensive support that companies need in today’s digital landscape. Yeah. To me the, um, the specialized knowledge is so important. I mean, I, I can’t say how many instances I, I’ve run into this where. A business says, well, we’re just gonna have our business or our contracts attorney write our privacy policy.

Right? And then you look at that privacy policy and it’s like, you know, we have all these cookies running on your site, on our site. We have all these advertising trackers, all these analytics trackers, and they would never collect your personal data. And I’m like. Hold on a minute. Like we’re, we’re running into an issue that’s [00:05:00] almost like malpractice here.

Yes. Because you don’t understand how these cookies and scripts work, or you don’t understand how websites work and you’re just saying, oh, we don’t collect any of your personal data or. You don’t need to worry about CPRA because your business is not located there, or you don’t need to worry about GDPR because your business is not located there.

To me that’s, you know, very close to being incompetent, so I always caution people. You know, if you are going to try to use your business attorney for this, make sure that they have a thorough understanding of privacy laws and that they track them and they track rules, regulations, and enforcement actions.

Because like you said, there’s so much going on in this. Field and it is kind of like me being a privacy lawyer. I’m not gonna offer somebody to to do somebody’s divorce because I just don’t understand enough about it. So having that specialized knowledge is really, really important here. For sure. I couldn’t agree more.

And I, [00:06:00] I will say that I see a lot of issues arise from a risk perspective with clients that, you know, have had people or lawyers or even non-lawyers help them with compliance aspects. And that tends to, down the road, get people into trouble. Mm-hmm. And it’s often because the, the nuance in your example is that.

We as privacy and security legal professionals often operate as a conduit or a translator, if you will, from the legal to the technology and the business. And we can help translate and understand all the different stakeholders and how they operate and what they need. And if you’re a lawyer looking at just the text of regulation or the text of a law or the text of best practices, but you don’t understand the technology, you are overlaying.

A simple idea [00:07:00] over a complex process, to your point cookies and what they may or may not collect or do on a company’s website, and what risk that that starts to increase or raise. Yeah, absolutely. So somebody’s working in a firm and they already have a number of privacy or cybersecurity specialists, but they don’t have like a practice group in place.

What advice, um, would you give them if they wanna form a practice group in their firm? Yeah, that’s a great question too. I think. I’ve got a couple different ideas about this. And the first one, after having been the the chair for, for, for many years now and understanding how different lawyers operate and different client needs arise, I’ve got a couple ideas about how a successful privacy group can come together.

And the first I think is making sure you’ve got enough cross practice experience because a privacy lawyer isn’t just a privacy [00:08:00] lawyer unto its own, right? His or her own right. We all have our own foundational legal precepts. Myself, my background is as a litigator, but I have people within my group that are also IP lawyers or corporate lawyers.

And that has been incredibly valuable because we all pull from different skill sets. When we, again, overlay privacy, ai or cybersecurity on top of a deal or an enforcement action or a cyber incident or some piece of litigation that might arise, and that is really valuable. So having lawyers that not just have the privacy expertise but that can build upon and, and lay that expertise upon a more traditional and foundational.

Legal training is really critical in my view. The other thing is, as I said earlier, I think privacy has become, and security has become industry agnostic. I [00:09:00] think for a long time it was more thought about in the more consumer space, but it, it affects every business now globally. And I think having lawyers that understand different industries and practice areas is really, really helpful.

The next thing I think is having, I’ll say this and then I’ll explain it. Having a single pillar practice, and what I mean by that is not pulling apart privacy and security or even AI and putting them in their own practice areas. From my experience, when clients come to a firm or any lawyer and they need help, they don’t need.

Three or four lawyers touching a matter because each of us has discreet expertise in that singular area, privacy and security. And [00:10:00] now AI are becoming so inextricable that it’s really important to have everybody working together so that we, when we are reviewing either regulatory issues or compliance best practices, or even.

When we’re, when we’re helping a client in a deal or in connection with a piece of litigation, being able to issue spot is really critical, and being able to do it with a singular team is even more important for a client. It creates a lot of efficiencies and a lot more protections for clients. And then in connection with that, I think there’s a really interesting aspect that in my view, some firms don’t think about often enough, and that is on the focus of talent retention and development, in particular young lawyers.

So if you’ve got this single, single or singular pillar for a practice group where you’re all looking at privacy, security, and AI as a holistic topic. [00:11:00] It helps, I think, develop and retain talent so that you can look at succession planning, you can look at scalability within your group. Which I think is also really critical, not just for longevity of a practice, but also for great represent representation of clients.

Yeah, no, that’s, that’s really great advice. Um, I, I think it’s interesting that you note that like for us. And no offense to you or myself, but like older lawyers, we all started as something else. Yes. So, you know, we all started in like litigation or we did contracts, um, or we did business law. It’ll be really interesting to see how it works when some of the newer lawyers, they start immediately as, you know, working in privacy.

They didn’t do something like tangential and then found privacy and, and fell in love with it. You know, they just started there. Um, so I think that’ll be really interesting to see. You are, [00:12:00] you are absolutely right about that. It gives me a little pause if I’m honest. And I try very hard to bring my associates that do sit in the privacy and security practice group into other matters so that they can see how a deal functions or how litigation works more generally so they can leverage those opportunities and leverage that experience as they continue to grow and develop in privacy and security.

And frankly, I’ve even talked to some young lawyers that leave firms. That are too siloed, and that’s what I meant by, you know, again, that single pillar bringing everybody together, they feel like it’s too siloed. They’re only focused on one thing, and it might feel like you are not giving enough to your training and development, and therefore don’t have enough to offer or provide to a client when they come to you for these big, broad, wide scale issues.

Yeah, I could see that being discouraging and boring for [00:13:00] somebody, you know? Mm-hmm. If, if, and also hard to, to give clients advice. You know, sometimes the clients will ask us like, what’s the risk of me being sued here? And what would that look like? And if you know nothing about litigation, you can’t give them an answer.

So it, it’s good to, to give them a broader perspective for sure. Especially as, as the area of privacy, which used to be much more about simple regulatory compliance and, you know, advice on innovation. But now we have such a, a grip within the plaintiff’s bar where they’re using all kinds of different mechanisms.

To litigate privacy issues. And then of course, we now have more global regulators that are picking their head up and creating more enforcement actions. So you’ve got that to deal with as well. Mm-hmm. It’s just become a much more multifaceted, legal, precept and practice. Yeah, absolutely. So let’s get into [00:14:00] talking about the European General Court decision.

So that was regarding the EU US data privacy framework. So what was the legal challenge to the DPF that LATAM brought and what were his main arguments against, um, adequacy of the DPF? Yeah, this was an interesting case that came down, um, especially in light of the predecessor. Cases the Shrems cases from the Court of European Justice.

So Philippe Lato brought a challenge in his own right about the commission’s adequacy decision that they granted the EU US data privacy framework. He basically sought to ANU that July, 2023 decision, which. Ultimately greenlit the DPF as a valid mechanism for transatlantic data transfers under the GDPR.

[00:15:00] His primary arguments. Um, we’re, we’re, he had a multitude of arguments. And I’ll just touch a little bit on each of them and then we can certainly get into details if we need to. But first Lato central claim was that the US surveillance practices, they still fall short of the eus privacy standards.

Those under the General Data Protection Regulation, despite reforms. That were introduced by Executive Order 1,486. Um, he basically argued that US intelligence agencies retain overly broad powers to access personal data of EU residents, especially under laws like FISA, section 7 0 2, which is our Foreign Intelligence Surveillance Act.

He also claimed that there was a lack of effective judicial redress. For [00:16:00] EU citizens, a core pillar of the DPF is the data protection review cord, otherwise known as the DPRC, and it’s a new mechanism for EU individuals to challenge surveillance misuse. And Lato claimed that this wasn’t essentially a genuine court, and we can talk about that in a little more detail in a moment.

He also argued that there was no protection against fully automated decision making, and I think this is really interesting because it obviously comes in light of such incredible advancements with generative AI and other types of artificial intelligence. So he basically argued that the DPF fails to guarantee protections equivalent to Article 22 of the GDPR, which is the automated decision making provision.

And it [00:17:00] prohibits significant decisions based solely on automated decision and processing of personal information associated with those decisions. So the last argument that he made was that inadequate oversight of legal remedies for EU residents. Um, he argued that the DPF lacked meaningful enforcement and oversight, and this is because the US made commitments via an executive order, which isn’t binding legislation here.

The oversight bodies like the Privacy and Civil Liberties Oversight Board and the DPRC lacked structural guarantees of independence, and that individuals had no transparent, accountable processes to pursue redress or legal violations, which is indoctrinated into the GDPR. So in essence, Lato believed that.

The DPF did not truly fix the problems that led to REMS two, which is [00:18:00] all about the excessive US surveillance and ultimately dismantled the privacy shield. Yeah, I, I think some of those have, there, there’s definitely some good arguments in my opinion there. Um, you know, it took so long and so much effort to get to the DPF from our political system, but, you know, we still don’t have a comprehensive federal privacy law that offers privacy rights to everybody.

Um, I mean, I was reading a, a privacy federal privacy bill that was proposed. Two days ago, and it’s like two pages, you know? Yes. Some of it is like, man, y’all could put like a tiny bit more effort into this. But we all know it’s not gonna pass anyway. So really what does it matter? What’s the, yeah.

What’s the point in reading these things? There have been so many over the past several years that have not come to fruition yet. Yeah. Part of my job is tracking these, and it’s really funny because, um. There’s a bill and [00:19:00] one year it doesn’t pass because there’s all this contention about it. And next year they proposed the same exact bill with the same exact text, hoping that somehow by magic, everybody’s gonna agree to it now.

Yeah. You know, I’ve seen bills where, um, you know, you have, uh, what would say like you have to collect, you know, the personal information of 10,000 or more residents of the state for this law to apply to you. But instead of the 10,000, there’s an x. Like who proofreads these things? Yes. And it’s so difficult.

You know, you, you are, you are pointing to, uh, many of the thresholds that are indoctrinated into state-based comprehensive privacy laws, and it is so difficult for companies to understand. Unless they are counting and tracking and can have traceability around every single data subject, which is so difficult to do, how would one organization [00:20:00] versus another?

No, this is applicable to me and not applicable to me. It’s a very challenging environment when you make those applicability thresholds into more concrete numbers. Yeah, absolutely. Because when somebody submits a contact form on your site, they’re not gonna say, Hey, I’m a resident of Maryland. That’s right.

And I’m interested in your services. You know, people just don’t do that. So, so yeah. But anyway, getting off topic here. Um, the US uh, redress mechanism, how did the court address that?

So the redress mechanism being the DPRC I, I think, is that what you’re, is that what you’re referring to? Yep. Yeah. Perfect. This was an interesting one because, you know, as you noted earlier, there were some really, you know, strong arguments that Lato brought to the court. And, and I think this is one of them basically.

[00:21:00] Lato was arguing that a core pillar of the DPF is this Data Protection Review Court, which is a brand new mechanism for EU individuals to challenge surveillance misuse. And he claimed that this wasn’t a genuine court, and that’s because it’s not part of the US judiciary. It was created through the executive branch, again, by executive order, and that DPRC members are appointed and overseen by the US Attorney General, which is compromising their independence and impartiality versus, for example, in the actual federal judiciary where they’re appointed, um, especially you know, for, you know, on, on the district level.

Um, it’s a lifetime appointment. And then finally he was claiming that data, EU data subjects in particular, [00:22:00] lack direct access to that court. They can’t appear, they can’t be heard, and they don’t see the evidence used in any of these decisions. So his position is that this court, it lacks procedural guarantees that the EU requires to be an effective remedy.

What about, so how did, what did the court say about that? I mean, why did they find it to be sufficient? So the court essentially said that there were no to be uh, essentially substantially similar, that it didn’t require courts to be necessarily. Part of the judiciary that the act of having a redress mechanism on its own was sufficient, even though EU citizens might not be able [00:23:00] to, for example, appear directly in court, but that the idea of being substantially similar or.

An essential equivalence, which is the phrase used under the GDPR didn’t require an exact copy or idea of what the EU redress mechanisms should be or should look like. It’s that they are substantially similar or essentially equivalent. And that’s where the court came down on, especially with respect to the DPRC.

Got it. So it’s like you have something, it might not be effective, it might not be the best, but there’s something in place. So we’re gonna count that as as good enough, basically. That is exactly right. And it’s really important to note that when the court reviewed this challenge in this claim, they specifically.[00:24:00]

Said that they were looking at the commission’s decision from July, 2023 and all of the relevant information at that time, and not what it might be like now in 2025 when they ultimately rendered the decision. So there this, there’s this interesting gap between when the commission granted the adequacy decision.

When the DPRC and other oversight mechanisms were established via the executive order and what they actually operate like now today, and how they may have changed over time, in particular with changes in our political administration and what be, what might be happening from a, you know, a political perspective.

And so to me that was. Two things. It was a way to be deferential to [00:25:00] the commission, which I think is interesting because the Court of Justice in the REMS cases were not as deferential to the commission’s decision, but this definitely was. But it was also this really interesting way of sidestepping a number of things that I think we all understand happened.

When the administrations shifted over from more of a political perspective than simply a legal perspective. Mm-hmm. Do you see any gaps or vulnerabilities in the, in the court’s reasoning in this decision that could potentially be challenged on appeal? I, I do. To me the biggest ones are that. First and foremost, the DPF relies almost exclusively on the executive order EO 4 1486, and that [00:26:00] it’s not an enduring piece of legislation, statutory law, for example, and that a number of the oversight mechanisms.

Are quite politically contingent and not structurally entrenched. And so as we said very early on, you know, I think some of these challenges and the arguments that Lato made were decent ones. Strong ones because we can already see some of the dependencies of the executive order breaking down and some of these oversight mechanisms.

Potentially unraveling. And I think that what’s gonna happen is there will be a challenge, I think an an an appealable challenge to this. And if we’re taking cues from what the Court of European Justice did in REMS one n two, where they essentially questioned the adequacy decision, especially in REMS two.

And they looked at it, [00:27:00] not at the time the commission made the decision, but what’s going on now? And if. They do this again, they being the court of European Justice, I think they would likely take a very similar approach and not the approach that the current court took, which is to say they’re looking at it only at a moment in time and being very deferential to the commission’s decision.

And a lot of that was based on, because the commission has a duty to review, continuously review these adequacy decisions. Make changes, potentially repeal or even amend the decision? Should that essential adequacy change or differ over time? Yeah, I think when you look at other countries that have received adequacy decisions like Canada, their systems look very, very different from ours in terms of privacy profess protections, [00:28:00] and it’s hard to see how.

This current system that we have is, is going to be sustainable long term. In terms of inadequacy decision, at, at least in my opinion, you know, you have countries that have very comprehensive laws, that have very comprehensive systems. It’s been entrenched for a long time. You know, everybody understands the rules and follows ’em versus this kind of half.

Baked pancake that we have here that we try to Reba every couple years to see. Hopeful this time it works. That’s exactly right. And I think that you’re hitting on something exactly what Lato is arguing here and what I do think is. Part of the vulnerability, uh, in this adequacy decision in that it’s just not enduring.

You rightly pointed to Canada and they have these statutory laws entrenched in their system. Brazil just receive an adequacy decision and they have developed a very similar GDPR like [00:29:00] framework that is law and not just this transient presidential order that could be overturned. At any moment should the administration turn over or the current administration decide this is something that no longer works for the United States.

And so you see them in a very different light. And you see that tho the, again, the enduring aspect of the legal precepts entrenched in those systems, uh, and how fragile they can be, especially in the United States based on simply the EO and not other legislative or even court driven efforts. Yeah. So, I think you’ve already answered this, but I do kind of wanna ask it again just to make it super clear.

Should companies that are certified under the DPF still maintain fallback strategies like standard contractual clauses? I believe your answer is gonna be yes, but I do wanna try you. You nailed it. Um, listen, as a privacy professional. There’s no way I could look a company in the face and say, simply rely on the DPF.

The court [00:30:00] has spoken. All is good. Companies that are operating under the DPF should absolutely maintain fallback transfer mechanisms, uh, up to and including standard contractual clauses. This is probably the best ’cause It’s that belt and suspenders resilience and it gives a lot of assurances in other aspects too.

And those are, you know, essentially that even you might be relying under the DPF as an individual organization, but it may not help with onward transfers. So you might still need to use standard contractual clauses if you do operate with different subcontractors, for example, or any onward transfers that might happen outside of the DPF.

I also think that secs integrate a little bit better into now require transfer impact assessments than if you were simply relying exclusively on the DPF. I also think that regulators, especially [00:31:00] regulators in the UK and the eu, expect these kinds of fallback arrangements because there has been so many challenges.

Successful challenges to these more framework based transfer mechanisms. And then I just think, you know, business continuity demands this. If you or an organization that is heavily reliant on the transfer of the international transfer of personal data, you need to really think about business resilience and continuity.

Because as we saw from the privacy shield being struck down, it can happen quickly and you need to continue to maintain compliance over these potentially large continuous transfers that might be happening out of the EU and [00:32:00] to the us. And then I think, honestly, my last thought on this is that the DPF might be legally stable for now, but Lato has already, you know, indicated that he intends to appeal Max Schrems.

Who is a part of the NYOB non non, uh, non-governmental organization has already made comments that he’s going to work with the organization to find, uh, other avenues for challenging this other arguments and things of that nature. And so I do expect that there will be continued challenges to the DFP and I don’t think that organizations should look to the DFP to be this.

Untouchable framework, and I do think that it would behoove every organization that is using it to think about these types of secondary measures that they may need to put in place. [00:33:00] I totally agree. Um, this could very well be temporary and like you said, the privacy shield was struck down and everybody was panicking over what to do.

So it’s best to have your ducks in a row now. I mean, even when I do like vendor due diligence, I do like the privacy part for any vendors that we may wanna use. And I look at their documentation and they’re like, oh, we use the, the DPF. I’m like, ah. What else you got? You know what else you got? I, I say the same thing.

Yep. Tell me more. I think so many of them assume, oh, we’re gonna spend all this money and all this time complying with the DPF. We’re gonna certify, we’re gonna put that on our website, and you know, privacy professionals or lawyers doing vendor due diligence or just gonna say, oh wow, green check mark, we’re done.

That’s it. We don’t need to look into them any further. And to me, it’s almost like. It’s not a red flag, but it’s an orange flag because I know that you would have other mechanisms in place if you truly understood the [00:34:00] situation and what’s happening here. And I always look for those other mechanisms.

That’s right. I couldn’t agree more. I couldn’t agree more. How should privacy teams in the US monitor developments for signs that the DPF could be under threat? Well, this is such a good question. Look to your outside counsel. They will almost always be providing, uh, what we call thought leadership developments in the law.

And they can give you good, good state of the union, if you will, about what’s happening. But if you don’t have outside counsel dedicated to this space, I think there are some other pretty easy ways to track it. I think first. Is just continue looking at whether this Lato decision will move up on appeal to the court of European justice.

I think this is probably the biggest existential threat to the DPF at the moment. I also [00:35:00] think that organizations should be very keen and aware of US surveillance reforms. And frankly, reforms connected to the executive order that bolsters the DPF. What’s happening there? What new things might be occurring if any of the redress mechanisms, including the court or the oversight board you know, lose valuable members or are shuttered even in certain ways, that’s a signal to me.

Something will happen as a result of that if it already hasn’t and it’s just waiting to come up on review from the commission. Yeah. The third thing, and I think this is a really good one too, and we should really be, I think, putting a lot more weight on this than we do. We often look to the courts or legislative bodies for these types of major decisions, but a lot of the signals often start [00:36:00] with regulators.

Like the National DPAs, even the EDPB will speak on these kinds of things, and they are very in touch with current state of play and the landscape, and they often have influence about the way these challenges start. REMS two, for example, was a result of the Irish DPA bringing this up. The C, and it wasn’t that it was a singular Max Schrems trying to advance this argument on his own or in his own right.

I think those are some really critical ways of continuing to assess situations and determine the viability of the DPF or any future or prospective transfer mechanism. Absolutely. Yeah. Just more stuff [00:37:00] to track on our plate for sure. Absolutely, absolutely. It doesn’t end like I said at the outset, having these kinds of, you know, really complex global and evolving privacy, uh, regimes, frameworks, laws, guidance, it takes a lot and it takes somebody that really is paying attention to the global legal landscape around this.

Absolutely. Full circle. Mm-hmm. Yes, absolutely. So Matthew, thanks so much for joining me today. This is a, a really interesting conversation and I’m excited to, to stay on top of what’s happening here. It’s been such a pleasure talking with you. I’m so happy you invited me to this episode. And thank you everyone for listening.

Awesome. And to our listeners, make sure you use subscribe so that you don’t miss our next episode.